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Hello, and welcome to Tools of the Trade: Linux and SQL, the fourth course in the Google 
Cybersecurity Certificate. You're on an exciting journey! 

By the end of this course, you will develop a greater understanding of the basics of computing that 
will support your work as a security analyst. You will learn foundational concepts related to 
understanding operating systems, communicating with the Linux operating system through 
commands, and querying databases with Structured Query Language (SQL). These are key 
concepts in the cybersecurity field and understanding them will help you keep organizations secure. 


Hi! Welcome to this course on computing basics for security. My name is Kim, and | work as a 
Technical Program Manager in security. | grew up with computers and the internet but didn't really 
consider security as a career opportunity until | saw how it was interwoven into technology. 


Before my first security job, | worked on a cloud application team and had to regularly interact with 
the security team. It was my first experience working with security, but the idea of protecting 
information and working with others towards that goal was exciting to me. As a result, | decided to 
work towards my CISSP, which led me to some new job opportunities at my company, and | was 
then able to move into security. 


At this point, if you've been following along, you've already explored a variety of concepts useful to 
the security field, including security domains and networking. I'm excited to join you during the next 
part of the program. We'll take it slow so that you can understand these topics in practical ways. The 
focus of this course is computing basics. When you understand how the machines in an 
organization's system work, it helps you do your job as a security analyst more efficiently. 


Part of your job as a security analyst is to keep systems protected from possible attacks. You're one 
of the first levels of defense in protecting an organization's data. To do this effectively, it's helpful to 
understand how the system you're protecting works. In addition, you may need to investigate events 
to help correct errors in the system. Being familiar with Linux operating system and its associated 
commands, and also being able to interact with an organization's data through SQL, will help you 
with that. 


In this course, you'll learn about operating systems and how they relate to applications and 
hardware. Next, you'll explore the Linux operating system in more detail. Then you'll use the Linux 
command line within a security context. Finally, we'll discuss how you can use SQL to query 


databases while working as a security analyst. l'm excited to explore all of these topics with you. 
Let's get started. 


Healthy habits for course completion 


Here is a list of best practices that will help you complete the courses in the program in a timely 
manner: 

e Plan your time: Setting regular study times and following them each week can help you 
make learning a part of your routine. Use a calendar or timetable to create a schedule, 
and list what you plan to do each day in order to set achievable goals. Find a space that 
allows you to focus when you watch the videos, review the readings, and complete the 
activities. 

e Work at your own pace: Everyone learns differently, so this program has been 
designed to let you work at your own pace. Although your personalized deadlines start 
when you enroll, feel free to move through the program at the speed that works best for 
you. There is no penalty for late assignments; to earn your certificate, all you have to do 
is complete all of the work. You can extend your deadlines at any time by going to 
Overview in the navigation panel and selecting Switch Sessions. If you have already 
missed previous deadlines, select Reset my deadlines instead. 

e Be curious: If you find an idea that gets you excited, act on it! Ask questions, search for 
more details online, explore the links that interest you, and take notes on your 
discoveries. The steps you take to support your learning along the way will advance your 
knowledge, create more opportunities in this high-growth field, and help you qualify for 
jobs. 

e Take notes: Notes will help you remember important information in the future, especially 
as you’re preparing to enter a new job field. In addition, taking notes is an effective way 
to make connections between topics and gain a better understanding of those topics. 


Welcome to module 1 


How many times a week do you use a computer? For some of us, the answer might be "a lot"! They 
are incredible machines that let us do everything from using specialized applications when 
completing a task at work to sending emails to loved ones in a distant place. Have you ever thought 


about how computers can do all of this? Well, that's where operating systems come in. 


In this section, we'll learn about common operating systems, and we'll explore the main functions of 


an operating system. Then, we'll learn the relationship between operating systems, applications, and 


hardware. Finally, we'll compare graphical user interfaces and command-line interfaces. The 
command-line interface will be an essential part of your job as a security analyst. Understanding 
operating systems is an important foundation for your career in security. There's so much to explore. 


Let's begin. 


Introduction to operating systems 


Devices like computers, smartphones, and tablets all have operating systems. If you've used a 
desktop or laptop computer, you may have used the Windows or MacOs operating systems. 
Smartphones and tablets run on mobile operating systems like Android and iOS. Another popular 
operating system is Linux. Linux is used in the security industry, and as a security professional, it's 


likely that you'll interact with the Linux OS. 


So what exactly is an operating system? It's the interface between the computer hardware and the 
user. The operating system, or the OS as it's commonly called, is responsible for making the 
computer run as efficiently as possible while also making it easy to use. Hardware may be another 


new term. Hardware refers to the physical components of a computer. 


The OS interface that we now rely on every day is something that early computers didn't have. In the 
1950s the biggest challenge with early computers was the amount of time it took to run a computer 
program. At the time, computers could not run multiple programs simultaneously. Instead, people 
had to wait for a program to finish running, reset the computer, and load up the new program. 
Imagine having to turn your computer on and off each time you had to open a new application! It 
would take a long time to complete a simple task like sending an email. Since then, operating 
systems have evolved, and we no longer have to worry about wasting time in this way. Thanks to 
operating systems and their evolution, today's computers run efficiently. They run multiple 


applications at once, and they also access external devices like printers, keyboards, and mice. 


Another reason why operating systems are important is that they help humans and computers 
communicate with each other. Computers communicate in a language called binary, which consists 
of Os and 1s. The OS provides an interface to bridge this communication gap between the user and 


the computer, allowing you to interact with the computer in complex ways. 


Operating systems are critical for the use of computers. Likewise, OS security is also critical for the 
security of a computer. This involves securing files, data access, and user authentication to help 
protect and prevent against threats such as viruses, worms, and malware. Knowing how operating 
systems work is essential for completing different security related tasks. For example, as a security 
analyst, you may be responsible for configuring and maintaining the security of a system by 
managing access. You may also be responsible for managing and configuring firewalls, setting 
security policies, enabling virus protection, and performing auditing, accounting, and logging to 
detect unusual behavior. All these tasks require a deep understanding of operating systems, and as 


we continue this course, we'll explore operating systems in greater detail. 


Compare operating systems 


You previously explored why operating systems are an important part of how a computer works. In 
this reading, you'll compare some popular operating systems used today. You'll also focus on the 


risks of using legacy operating systems. 


Common operating systems 


The following operating systems are useful to know in the security industry: Windows, macOS®, 


Linux, ChromeOS, Android, and iOS. 
Windows and macOS 
Windows and macOS are both common operating systems. The Windows operating system was 


introduced in 1985, and macOS was introduced in 1984. Both operating systems are used in 


personal and enterprise computers. 


Windows is a closed-source operating system, which means the source code is not shared freely 
with the public. macOS is partially open source. It has some open-source components, such as 


macOS’s kernel. macOS also has some closed-source components. 


Linux 


The first version of Linux was released in 1991, and other major releases followed in the early 
1990s. Linux is a completely open-source operating system, which means that anyone can access 
Linux and its source code. The open-source nature of Linux allows developers in the Linux 
community to collaborate. 

Linux is particularly important to the security industry. There are some distributions that are 
specifically designed for security. Later in this course, you'll learn about Linux and its importance to 


the security industry. 


ChromeOS 


ChromeOS launched in 2011. It’s partially open source and is derived from Chromium OS, which is 


completely open source. ChromeOS is frequently used in the education field. 


Android and iOS 


Android and iOS are both mobile operating systems. Unlike the other operating systems mentioned, 
mobile operating systems are typically used in mobile devices, such as phones, tablets, and 
watches. Android was introduced for public use in 2008, and iOS was introduced in 2007. Android is 


open source, and iOS is partially open source. 


Operating systems and vulnerabilities 


Security issues are inevitable with all operating systems. An important part of protecting an operating 


system is keeping the system and all of its components up to date. 


Legacy operating systems 


A legacy operating system is an operating system that is outdated but still being used. Some 
organizations continue to use legacy operating systems because software they rely on is not 
compatible with newer operating systems. This can be more common in industries that use a lot of 
equipment that requires embedded software—software that’s placed inside components of the 
equipment. 

Legacy operating systems can be vulnerable to security issues because they’re no longer supported 


or updated. This means that legacy operating systems might be vulnerable to new threats. 


Other vulnerabilities 


Even when operating systems are kept up to date, they can still become vulnerable to attack. Below 
are several resources that include information on operating systems and their vulnerabilities. 
e Microsoft Security Response Center (MSRC): A list of known vulnerabilities affecting 
Microsoft products and services 
e Apple Security Updates: A list of security updates and information for Apple® operating 
systems, including macOS and iOS, and other products 
e Common Vulnerabilities and Exposures (CVE) Report for Ubuntu: A list of known 
vulnerabilities affecting Ubuntu, which is a specific distribution of Linux 
e Google Cloud Security Bulletin: A list of known vulnerabilities affecting Google Cloud 


products and services 


Keeping an operating system up to date is one key way to help the system stay secure. Because it 
can be difficult to keep all systems updated at all times, it’s important for security analysts to be 


knowledgeable about legacy operating systems and the risks they can create. 


Key takeaways 


Windows, macOS, Linux, ChromeOS, Android, and iOS are all commonly used operating systems. 
Security analysts should be aware of vulnerabilities that affect operating systems. It’s especially 
important for security analysts to be familiar with legacy operating systems, which are systems that 


are outdated but still being used. 


Congratulations! You passed! 


Grade received 100% 


To pass 75% or higher 


Question 1 


What is an operating system? 


1/1 point 


The interface between the computer hardware and the user 


A computer, smartphone, or tablet 


A program for sending email 


The physical components of a computer 


Correct 


An operating system is the interface between computer hardware and the user. 


Question 2 


Which of the following are operating systems? Select all that apply. 


1/1 point 


Smartphones 


Linux 


Correct 


Android, Linux, and Windows are operating systems. Operating systems are interfaces between computer 


hardware and the user. 


Android 


Correct 


Android, Linux, and Windows are operating systems. Operating systems are interfaces between computer 


hardware and the user. 


Windows 


Correct 


Android, Linux, and Windows are operating systems. Operating systems are interfaces between computer 


hardware and the user. 


Question 3 


Which of the following statements correctly describe operating systems? Select all that apply. 


1/1 point 


Computers run efficiently because of operating systems. 


Correct 


Operating systems help people interact with computers, and computers run efficiently because of 


operating systems. Operating systems are able to run many applications at once. 


Operating systems help people interact with computers. 


Correct 


Operating systems help people interact with computers, and computers run efficiently because of 


operating systems. Operating systems are able to run many applications at once. 


Operating systems are the physical components of a computer. 


Operating systems are able to run many applications at once. 


Correct 


Operating systems help people interact with computers, and computers run efficiently because of 


operating systems. Operating systems are able to run many applications at once. 


Question 4 
Computers communicate in a language called binary, which consists of Os and 1s. 


1/1 point 


True 


False 


Correct 


Computers communicate in a language called binary, which consists of Os and 1s. 


Inside the operating system 


Previously, you learned about what operating systems are. Now, let's discuss how they work. In this 
video, you'll learn what happens with an operating system, or OS, when someone uses a computer 


for a task. 


Think about when someone drives a car. They push the gas pedal and the car moves forward. They 
don't need to pay attention to all the mechanics that allow the car to move. Just like a car can't work 


without its engine, a computer can't work without its operating system. 


The job of an OS is to help other computer programs run efficiently. The OS does this by taking care 


of all the messy details related to controlling, the computer's hardware, so you don't have to. 


First, let's see what happens when you turn on the computer. When you press the power button, 
you're interacting with the hardware. This boots the computer and brings up the operating system. 
Booting the computer means that a special microchip called a BIOS is activated. On many 
computers built after 2007, the chip was replaced by the UEFI. Both BIOS and UEFI contain booting 
instructions that are responsible for loading a special program called the bootloader. Then, the 


bootloader is responsible for starting the operating system. Just like that, your computer is on. 


As a security analyst, understanding these processes can be helpful for you. Vulnerabilities can 
occur in something like a booting process. Often, the BIOS is not scanned by the antivirus software, 
so it can be vulnerable to malware infection. Now, that you learned how to boot the operating 


system, let's look at how you and all users communicate with the system to complete a task. 


The process starts with you, the user. And to complete tasks, you use applications on your 
computer. An application is a program that performs a specific task. When you do this, the 
application sends your request to the operating system. From there, the operating system interprets 


this request and directs it to the appropriate component of the computer's hardware. 


In the previous video, we learned that the hardware consists of all the physical components of the 
computer. The hardware will also send information back to the operating system. And this in turn is 


sent back to the application. 


Let's give a simple overview of how this works when you want to use the calculator on your 
computer. You use your mouse to click on the calculator application on your computer. When you 
type in the number you want to calculate, the application communicates with the operating system. 
Your operating system then sends a calculation to a component of the hardware, the central 
processing unit, or CPU. Once the hardware does the work of determining the final number, it sends 


the answer back to your operating system. Then, it can be displayed in your calculator application. 


Understanding this process is helpful when investigating security events. Security analysts should be 


able to trace back through this process flow to analyze where a security event could have occurred. 


Just like a mechanic needs to understand the inner workings of a car more than an average driver, 


recognizing how operating systems work is important knowledge for a security analyst. 


Requests to the operating system 


Operating systems are a critical component of a computer. They make connections between 
applications and hardware to allow users to perform tasks. In this reading, you'll explore this 


complex process further and consider it using a new analogy and a new example. 


Booting the computer 


When you boot, or turn on, your computer, either a BIOS or UEFI microchip is activated. The Basic 
Input/Output System (BIOS) is a microchip that contains loading instructions for the computer and 
is prevalent in older systems. The Unified Extensible Firmware Interface (UEFI) is a microchip that 
contains loading instructions for the computer and replaces BIOS on more modern systems. 

The BIOS and UEFI chips both perform the same function for booting the computer. BIOS was the 
standard chip until 2007, when UEFI chips increased in use. Now, most new computers include a 
UEFI chip. UEFI provides enhanced security features. 

The BIOS or UEFI microchips contain a variety of loading instructions for the computer to follow. For 
example, one of the loading instructions is to verify the health of the computer’s hardware. 

The last instruction from the BIOS or UEFI activates the bootloader. The bootloader is a software 
program that boots the operating system. Once the operating system has finished booting, your 


computer is ready for use. 


Completing a task 


As previously discussed, operating systems help us use computers more efficiently. Once a 
computer has gone through the booting process, completing a task on a computer is a four-part 


process. 


Operating 


Application Hardware 


System 


User 


The first part of the process is the user. The user initiates the process by having something they 
want to accomplish on the computer. Right now, you’re a user! You’ve initiated the process of 


accessing this reading. 


Application 


The application is the software program that users interact with to complete a task. For example, if 
you want to calculate something, you would use the calculator application. If you want to write a 


report, you would use a word processing application. This is the second part of the process. 


Operating system 


The operating system receives the user’s request from the application. It’s the operating system’s job 
to interpret the request and direct its flow. In order to complete the task, the operating system sends 


it on to applicable components of the hardware. 


Hardware 


The hardware is where all the processing is done to complete the tasks initiated by the user. For 
example, when a user wants to calculate a number, the CPU figures out the answer. As another 
example, when a user wants to save a file, another component of the hardware, the hard drive, 
handles this task. 

After the work is done by the hardware, it sends the output back through the operating system to the 


application so that it can display the results to the user. 


The OS at work behind the scenes 


Consider once again how a computer is similar to a car. There are processes that someone won't 
directly observe when operating a car, but they do feel it move forward when they press the gas 
pedal. It’s the same with a computer. Important work happens inside a computer that you don’t 


experience directly. This work involves the operating system. 


You can explore this through another analogy. The process of using an operating system is also 
similar to ordering at a restaurant. At a restaurant you place an order and get your food, but you 
don’t see what’s happening in the kitchen when the cooks prepare the food. 

Ordering food is similar to using an application on a computer. When you order your food, you make 
a specific request like “a small soup, very hot.” When you use an application, you also make specific 
requests like “print three double-sided copies of this document.” 

You can compare the food you receive to what happens when the hardware sends output. You 
receive the food that you ordered. You receive the document that you wanted to print. 

Finally, the kitchen is like the OS. You don’t know what happens in the kitchen, but it’s critical in 
interpreting the request and ensuring you receive what you ordered. Similarly, though the work of the 


OS is not directly transparent to you, it’s critical in completing your tasks. 


An example: Downloading a file from an internet browser 


Previously, you explored how operating systems, applications, and hardware work together by 
examining a task involving a calculation. You can expand this understanding by exploring how the 
OS completes another task, downloading a file from an internet browser: 
e First, the user decides they want to download a file that they found online, so they click ona 
download button near the file in the internet browser application. 
e Then, the internet browser communicates this action to the OS. 
e The OS sends the request to download the file to the appropriate hardware for processing. 
e The hardware begins downloading the file, and the OS sends this information to the internet 
browser application. The internet browser then informs the user when the file has been 


downloaded. 


Key takeaways 


Although it operates in the background, the operating system is an essential part of the process of 
using a computer. The operating system connects applications and hardware to allow users to 


complete a task. 


Resource allocation via the OS 


Now we're ready to discuss a different aspect of your operating system. Not only does the OS 
interact with other parts of your computer, but it's also responsible for managing the resources of the 
system. This is a big task that requires a lot of balance to make sure all the resources of the 
computer are used efficiently. Think of this like the concept of energy. A person needs energy to 
complete different tasks. Some tasks need more energy, while others require less. For example, 
going for a run requires more energy than watching TV. A computer's OS also needs to make sure 
that it has enough energy to function correctly for certain tasks. Running an antivirus scan on your 


computer will use more energy than using the calculator application. 


Imagine your computer is an orchestra. Many different instruments like violins, drums, and trumpets 
are all part of the orchestra. An orchestra also has a conductor to direct the flow of the music. Ina 
computer, the OS is the conductor. The OS handles resource and memory management to ensure 
the limited capacity of the computer system is used where it's needed most. A variety of programs, 
tasks, and processes are constantly competing for the resources of the central processing unit, or 
CPU. They all have their own reasons why they need memory, storage, and input/output bandwidth. 
The OS is responsible for ensuring that each program is allocating and de-allocating resources. All 


this occurs in your computer at the same time so that your system functions efficiently. 
Much of this is hidden from you as a user. 

But, your task manager will list all of the tasks that are being processed, 

along with their memory and CPU usage. 


As an analyst, it's helpful to know where a system's resources are used. Understanding usage of 


resources can help you respond to an incident and troubleshoot applications in the system. 


For example, if a computer is running slowly, an analyst might discover it's allocating resources to 
malware. A basic understanding of how operating systems work will help you better understand the 


security skills you will learn later in this program. 


Virtualization technology 


You've explored a lot about operating systems. One more aspect to consider is that operating 
systems can run on virtual machines. In this reading, you'll learn about virtual machines and the 
general concept of virtualization. You'll explore how virtual machines work and the benefits of using 


them. 


What is a virtual machine? 


A virtual machine (VM) is a virtual version of a physical computer. Virtual machines are one 
example of virtualization. Virtualization is the process of using software to create virtual 
representations of various physical machines. The term “virtual” refers to machines that don’t exist 
physically, but operate like they do because their software simulates physical hardware. Virtual 
systems don’t use dedicated physical hardware. Instead, they use software-defined versions of the 
physical hardware. This means that a single virtual machine has a virtual CPU, virtual storage, and 


other virtual hardware. Virtual systems are just code. 


VM 
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You can run multiple virtual machines using the physical hardware of a single computer. This 
involves dividing the resources of the host computer to be shared across all physical and virtual 
components. For example, Random Access Memory (RAM) is a hardware component used for 
short-term memory. If a computer has 16GB of RAM, it can host three virtual machines so that the 
physical computer and virtual machines each have 4GB of RAM. Also, each of these virtual 


machines would have their own operating system and function similarly to a typical computer. 


Benefits of virtual machines 


Security professionals commonly use virtualization and virtual machines. Virtualization can increase 


security for many tasks and can also increase efficiency. 


Security 


One benefit is that virtualization can provide an isolated environment, or a sandbox, on the physical 
host machine. When a computer has multiple virtual machines, these virtual machines are “guests” 


of the computer. Specifically, they are isolated from the host computer and other guest virtual 


machines. This provides a layer of security, because virtual machines can be kept separate from the 
other systems. For example, if an individual virtual machine becomes infected with malware, it can 
be dealt with more securely because it’s isolated from the other machines. A security professional 
could also intentionally place malware on a virtual machine to examine it in a more secure 
environment. 

Note: Although using virtual machines is useful when investigating potentially infected machines or 
running malware in a constrained environment, there are still some risks. For example, a malicious 
program can escape virtualization and access the host machine. This is why you should never 


completely trust virtualized systems. 


Efficiency 


Using virtual machines can also be an efficient and convenient way to perform security tasks. You 
can open multiple virtual machines at once and switch easily between them. This allows you to 
streamline security tasks, such as testing and exploring various applications. 

You can compare the efficiency of a virtual machine to a city bus. A single city bus has a lot of room 
and is an efficient way to transport many people simultaneously. If city buses didn’t exist, then 
everyone on the bus would have to drive their own cars. This uses more gas, cars, and other 
resources than riding the city bus. 

Similar to how many people can ride one bus, many virtual machines can be hosted on the same 


physical machine. That way, separate physical machines aren't needed to perform certain tasks. 


Managing virtual machines 


Virtual machines can be managed with a software called a hypervisor. Hypervisors help users 
manage multiple virtual machines and connect the virtual and physical hardware. Hypervisors also 
help with allocating the shared resources of the physical host machine to one or more virtual 
machines. 

One hypervisor that is useful for you to be familiar with is the Kernel-based Virtual Machine (KVM). 


KVM is an open-source hypervisor that is supported by most major Linux distributions. It is built into 


the Linux kernel, which means it can be used to create virtual machines on any machine running a 


Linux operating system without the need for additional software. 


Other forms of virtualization 


In addition to virtual machines, there are other forms of virtualization. Some of these virtualization 
technologies do not use operating systems. For example, multiple virtual servers can be created 
from a single physical server. Virtual networks can also be created to more efficiently use the 


hardware of a physical network. 


Key takeaways 


Virtual machines are virtual versions of physical computers and are one example of virtualization. 
Virtualization is a key technology in the security industry, and it’s important for security analysts to 
understand the basics. There are many benefits to using virtual machines, such as isolation of 
malware and other security risks. However, it’s important to remember there’s still a risk of malicious 


software escaping their virtualized environments. 


Congratulations! You passed! 


Grade received 100% 


To pass 75% or higher 


Question 1 


What is the job of a computer's operating system? 


1/1 point 


Help other computer programs run efficiently 


Allow users to specify tasks 


Turn on the computer 


Load the bootloader 


Correct 


The job of a computer operating system is to help make other computer programs run efficiently. It does 


this by managing the details related to controlling computer hardware. 


Question 2 


Fill in the blank: In order to carry out tasks on a computer, users directly interact with 


1/1 point 


the CPU 


the BIOS 


task managers 


applications 


Correct 


Users interact with applications in order to carry out tasks on a computer. Applications are programs that 


perform a specific task. 


Question 3 


The management of a computer’s resources and memory is handled by an application. 


1/1 point 


True 


False 


Correct 


The management of a computer’s resources and memory is handled by its operating system. The 


operating system ensures the limited capacity of the computer system is used where it’s needed most. 


Question 4 


Which of the following processes are part of starting an operating system? Select all that apply. 


1/1 point 


Either the BIOS or UEFI microchip is activated when a user turns on a computer. 


Correct 


Either the BIOS or UEFI microchip is activated when a user turns on a computer. The BIOS or UEFI 


microchip loads the bootloader, and the bootloader starts the operating system. 


The bootloader starts the operating system. 


Correct 


Either the BIOS or UEFI microchip is activated when a user turns on a computer. The BIOS or UEFI 


microchip loads the bootloader, and the bootloader starts the operating system. 


The BIOS or UEFI microchip loads the bootloader. 


Correct 


Either the BIOS or UEFI microchip is activated when a user turns on a computer. The BIOS or UEFI 


microchip loads the bootloader, and the bootloader starts the operating system. 


The bootloader immediately launches when a user turns on a computer. 


GUI versus CLI 


Now that you've learned the inner workings of computers, let's discuss how users and operating 
systems communicate with each other. So far, you've learned that a computer has an operating 
system, hardware, and applications. Remember, the operating system communicates with the 
hardware to execute tasks. In this video, you'll learn how the user—that's you—interacts with the 


operating system in order to send tasks to the hardware. 


The user communicates with the operating system via an interface. A user interface is a program 
that allows a user to control the functions of the operating system. Two user interfaces that we'll 
discuss are the graphical user interface, or GUI, and the command-line interface, or CLI. Let's cover 


these interfaces in more detail. 


A GUI is a user interface that uses icons on the screen to manage different tasks on the computer. 
Most operating systems can be used with a graphical user interface. If you've used a personal 
computer or a cell phone, you have experienced operating a GUI. Most GUls include these 
components: a start menu with program groups, a task bar for launching programs, and a desktop 
with icons and shortcuts. All these components help you communicate with the OS to execute tasks. 
In addition to clicking on icons, when you use a GUI, you can also search for files or applications 
from the start menu. You just have to remember the icon or name of the program to activate an 


application. 


Now let's discuss the command-line interface. In comparison, the command-line interface, or CLI, is 
a text-based user interface that uses commands to interact with the computer. These commands 
communicate with the operating system and execute tasks like opening programs. The 
command-line interface is a much different structure than the graphical user interface. When you use 
the CLI, you'll immediately notice a difference. There are no icons or graphics on the screen. The 


command-line interface looks similar to lines of code using certain text languages. A CLI is more 


flexible and more powerful than a GUI. Think about using a CLI like creating whatever meal you'd 
like from ingredients bought at a grocery store. This gives you a lot of control and customization 


about what you're going to eat. 


In comparison, using a GUI is more like ordering food from a restaurant. You can only order what's 
on the menu. If you want both a noodle dish and pizza, but the first restaurant you go to only has 
pizza, you'll have to go to another restaurant to order the noodles. With a graphical user interface, 
you must do one task at a time. But the command-line interface allows for customization, which lets 
you complete multiple tasks simultaneously. For example, imagine you have a folder with hundreds 
of files of different file types, and you need to move only the JPEG files to a new folder. Think about 
how slow and tedious this would be as you use a GUI to find each JPEG file in this folder and move 
it into the new one. On the other hand, the CLI would allow you to streamline this process and move 


them all at once. 


As you can see, there are very big differences in these two types of user interfaces. As a security 
analyst, some of your work may involve the command-line interface. When analyzing logs or 
authenticating and authorizing users, security analysts commonly use a CLI in their everyday work. 
In this video, we discussed two types of user interfaces. You learned that you already have 
experience using a graphical user interface, as most personal computers and cell phones use a GUI. 
You were introduced to the command-line interface. Later in the program, you'll learn how to use a 
CLI in Linux and how relevant it is to your daily work as a security analyst. You'll get practical 


experience communicating through the command line. Pretty exciting, right? 


The command line in use 


Previously, you explored graphical user interfaces (GUI) and command-line user interfaces (CLI). In 
this reading, you'll compare these two interfaces and learn more about how they’re used in 


cybersecurity. 


CLI vs. GUI 


A graphical user interface (GUI) is a user interface that uses icons on the screen to manage 
different tasks on the computer. A command-line interface (CLI) is a text-based user interface that 


uses commands to interact with the computer. 
Display 
One notable difference between these two interfaces is how they appear on the screen. A GUI has 


graphics and icons, such as the icons on your desktop or taskbar for launching programs. In 


contrast, a CLI only has text. It looks similar to lines of code. 


login_sessions. txt: 
chmod u+rwx, gtrwx, otrwx 
login_sessions. txt 


Graphical user interface Command-line interface 
(GUI) (CLI) 


Function 


These two interfaces also differ in how they function. A GUI is an interface that only allows you to 


make one request at a time. However, a CLI allows you to make multiple requests at a time. 


Advantages of a CLI in cybersecurity 


The choice between using a GUI or CLI is partly based on personal preference, but security analysts 


should be able to use both interfaces. Using a CLI can provide certain advantages. 


Efficiency 


Some prefer the CLI because it can be used more quickly when you know how to manage this 
interface. For a new user, a GUI might be more efficient because they’re easier for beginners to 
navigate. 

Because a CLI can accept multiple requests at one time, its more powerful when you need to 
perform multiple tasks efficiently. For example, if you had to create multiple new files in your system, 
you could quickly perform this task in a CLI. If you were using a GUI, this could take much longer, 


because you have to repeat the same steps for each new file. 


History file 


For security analysts, using the Linux CLI is helpful because it records a history file of all the 
commands and actions in the CLI. If you were using a GUI, your actions are not necessarily saved in 
a history file. 

For example, you might be in a situation where you’re responding to an incident using a playbook. 
The playbook’s instructions require you to run a series of different commands. If you used a CLI, 
you’d be able to go back to the history and ensure all of the commands were correctly used. This 
could be helpful if there were issues using the playbook and you had to review the steps you 
performed in the command line. 

Additionally, if you suspect an attacker has compromised your system, you might be able to trace 


their actions using the history file. 


Key takeaways 


GUls and CLIs are two types of user interfaces that security analysts should be familiar with. There 
are multiple differences between a GUI and a CLI, including their displays and how they function. 
When working in cybersecurity, a CLI is often preferred over a GUI because it can handle multiple 


tasks simultaneously and it includes a history file. 


Congratulations! You passed! 


Grade received 100% 

To pass 75% or higher 

In this exercise, you will review multiple scenarios and decide if a graphical user interface (GUI) or 
command-line interface (CLI) would be more effective. You will also need to explain your reasoning. After 
you submit your reflection, you can compare your answers to the feedback provided. 

Note: Coursera will mark each item that you submit as correct, but to improve your understanding, you 


should carefully consider how your response aligns with the feedback. 


Question 1 


You are a security professional training all employees at your company on creating a strong password. 


You explain different strategies that they can use for making passwords secure. You also demonstrate 


how to change passwords. Your teammates have a wide range of technical expertise. 


In this scenario, should you use a GUI or CLI to demonstrate how to change passwords? Explain your 


reasoning in 2-3 sentences. 


1/1 point 


this scenario i would use a CLI to demonstrate how to my teamates how to change a password because 
my team already have range of technical expertise. so i should not assume that they don't know what to 


do. only when i would be showing employees of a company i would use the GUI. 


Correct 


Thank you for your response. A GUI would be more effective in this scenario. This is because GUls are 
easier for beginners to navigate. These individuals will likely already have experience using GUls on their 


phones and computers but may not be familiar with CLls. 


Question 2 


You are reviewing log files for a department at your company. Log file names are supposed to include the 
name of the department. After reviewing multiple log files, you realize that the file names do not include 
the name of the department. You decide to rename all the log files for this department. There are 


hundreds of log files. 


In this scenario, should you use a GUI or CLI to rename the log files? Explain your reasoning in 2-3 


sentences. 


1/1 point 


since ill be proficient using all the these two interface, i would use the command line interface( CLI). since 
it allows users to change multipe documents are a time , CLI allows you to make multiple requests at a 
time opposed the GUI that only allows you to change one at a time. A GUI is an interface that only allows 


you to make one request at a time 


Correct 


Thank you for your response. A CLI would generally be more effective in this scenario. This is because 
CLIs allow you to perform multiple tasks simultaneously. In this case, you could rename all the files at 
once. If you used a GUI for this task, you would need to rename the files individually unless you had 


access to a special program for batch file renaming. 


Question 3 


You are installing multiple applications. You want to keep a history of commands while you install the 
applications. This will allow you to check later to ensure that you installed all of the necessary applications 


and that you installed them correctly. 


In this scenario, should you use a GUI or CLI to install the applications? Explain your reasoning in 2-3 


sentences. 


1/1 point 


GUI search for files or applications from the start menu. You just have to remember the icon or name of 


the program to activate an application. 


Correct 


Thank you for your response. A CLI would be more effective in this scenario. This is because a CLI 
records a history of all commands used in the CLI. GUIs do not necessarily include a history file of all 


actions performed in the GUI. 


Congratulations! You passed! 


Grade received 100% 


To pass 75% or higher 


Question 1 


What is a GUI? 


1/1 point 


A user interface that only runs on mobile devices 
A user interface that allows people to interact with a computer through commands 
A user interface that enables people to manage tasks on a computer using icons 


A user interface that runs only on Linux operating systems 


Correct 


A GUI, or graphical user interface, is a user interface that enables people to manage tasks on a computer 


using icons. Most operating systems can be used with a GUI. 


Question 2 


Which of the following can be components of a GUI? Select all that apply. 


1/1 point 


Hardware 


Desktop icons and shortcuts 


Correct 


Desktop icons and shortcuts are common components of a GUI. 


Task bar 


Correct 


A task bar is a common component of a GUI. 


Start menu 


Correct 


A start menu is a common component of a GUI. 


Question 3 


Fill in the blank: A security professional uses a(n) 


instructions. 


to interact with a computer using text-based 


1/1 point 


CLI 


text system 


GUI 


operating system 


Correct 


A security professional uses a CLI, or command-line interface, to interact with a computer using 


text-based instructions. 


Question 4 


A useful feature of a CLI is that it records a history file of commands and actions. 


1/1 point 


True 


False 


Correct 


A useful feature of a CLI is that it records a history file of commands and actions. This can help security 
analysts confirm that they used the correct commands from a playbook. It also might help them trace the 


actions of an attacker. 


Wrap-up 


We did it! What a great section of learning! The best thing is that we did this together and covered 
some very useful topics. Let's recap this section's lessons. As a security analyst, it's important that 
you understand the systems that you're working with. Understanding computer basics will help you 
do your job more effectively and efficiently. In this section, we covered common operating systems. 
We also discussed the main functions of an operating system. Importantly, you learned about the 
relationship between operating systems, applications, and hardware. It was nice to learn how they 
flow together like an orchestra. In addition, you learned about the differences between the graphical 
user interface and the command-line interface. Understanding the command-line interface will be 


very important for your work. 


| enjoyed exploring the world of operating systems with you. Knowing how operating systems work is 
an important step in preparing for a position as a security analyst. You're doing great! Let's keep 
moving forward with this program. In the next section, we'll focus specifically on the Linux operating 


system. 


Glossary terms from module 1 


Terms and definitions from Course 4, Module 1 


Application: A program that performs a specific task 

Basic Input/Output System (BIOS): A microchip that contains loading instructions for the computer 
and is prevalent in older systems 

Bootloader: A software program that boots the operating system 

Command-line interface (CLI): A text-based user interface that uses commands to interact with the 
computer 

Graphical user interface (GUI): A user interface that uses icons on the screen to manage different 
tasks on the computer 

Hardware: The physical components of a computer 

Legacy operating system: An operating system that is outdated but still being used 

Operating system (OS): The interface between computer hardware and the user 

Random Access Memory (RAM): A hardware component used for short-term memory 

Unified Extensible Firmware Interface (UEFI): A microchip that contains loading instructions for 
the computer and replaces BIOS on more modern systems 

User interface: A program that allows the user to control the functions of the operating system 


Virtual machine (VM): A virtual version of a physical computer 


Welcome to module 2 


Welcome back! We have another important topic to explore. Previously, you learned about operating 
systems and user interfaces. You learned how operating systems work and how resources are 
allocated in computers. We also reviewed several common operating systems. You may already 
have a favorite operating system. It's common to hear that people are fans of one over another, but 


in the security world, Linux is commonly used. 


In this section, you'll be learning more about the Linux operating system and how it's used in 
everyday tasks in security. First, you'll learn about the architecture of Linux. After this, we'll compare 
the different distributions of Linux that are available. Lastly, you'll explore the shell, a key Linux 
component that allows you to communicate with the system. | remember when | first learned about 


the Linux OS, and I'm really happy to explore it with you now. 


Introduction to Linux 


You might have seen or heard the name Linux in the past. But did you know Linux is the most-used 


operating system in security today? Let's start by taking a look at Linux and how it's used in security. 


Linux is an open-source operating system. It was created in two parts. In the early 1990s, two 
different people were working separately on projects to improve computer engineering. The first 
person was Linus Torvalds. At the time, the UNIX operating system was already in use. He wanted 
to improve it and make it open source and accessible to anyone. What was revolutionary was his 


introduction of the Linux kernel. We're going to learn what the kernel does later. 


Around the same time, Richard Stallman started working on GNU. GNU was also an operating 
system based on UNIX. Stallman shared Torvalds' goal of creating software that was free and open 
to anyone. After working on GNU for a few years, the missing element for the software was a kernel. 


Together, Torvalds' and Stallman’s innovations made what is commonly referred to as Linux. 


Now that you've learned the history behind Linux, let's take a look at what makes Linux unique. As 
mentioned before, Linux is open source, meaning anyone can have access to the operating system 
and the source code. Linux and many of the programs that come with Linux are licensed under the 
terms of the GNU Public License, which allow you to use, share, and modify them freely. Thanks to 
Linux's open-source philosophy as well as a strong feature set, an entire community of developers 
has adopted this operating system. These developers are able to collaborate on projects and 
advance computing together. As a security analyst, you'll discover that Linux is used at different 
organizations. More specifically, Linux is used in many security programs. Another unique feature 
about Linux is the different distributions, or varieties, that have been developed. Because of the large 
community contribution, there are over 600 distributions of Linux. Later you'll learn more about 


distributions. 


Finally, let's take a look at how you would use Linux in an entry-level security position. As a security 
analyst, you'll use many tools and programs in everyday work. You might examine different types of 
logs to identify what's going on in the system. For example, you might find yourself looking at an 

error log when investigating an issue. Another place where you will use Linux is to verify access and 
authorization in an identity and access management system. In security, managing access is key in 


order to ensure a secure system. We'll take a closer look into access and authorization later. 


Finally, as an analyst, you might find yourself working with specific distributions designed for a 
particular task. For example, you might use a distribution that has a digital forensic tool to investigate 
what happened in an event alert. You might also use a distribution that's for pen testing in offensive 
security to look for vulnerabilities in the system. Distributions are created to fit the needs of their 
users. | hope you're excited to learn more about Linux. This will be a very useful skill in the security 


field. 


Linux architecture 


Let me start with a quick question that may seem unrelated to security. Do you have a favorite 


building? And what is it about its architecture that impresses you the most? The windows? The 


structure of the walls? Just like buildings, operating systems also have an architecture and are made 
up of discrete components that work together to form the whole. In this video, we're going to look at 


all the components that together make up Linux. 


The components of Linux include the user, applications, the shell, the Filesystem Hierarchy 
Standard, the kernel, and the hardware. Don't worry—we'll go into these components one by one 


together. 


First, you are the user. The user is the person interacting with the computer. In Linux, you're the first 
element to the architecture of the operating system. You're initiating the tasks or commands that the 
OS is going to execute. Linux is a multi-user system. This means that more than one user can use 


the system's resources at the same time. 


The second element of the architecture is the applications within a system. An application is a 
program that performs a specific task, such as a word processor or a calculator. You might hear the 
word "applications" and "programs" used interchangeably. As an example, one popular Linux 
application that we'll learn more about later is Nano. Nano is a text editor. This simple application 
helps you keep notes on the screen. Linux applications are commonly distributed through package 


managers. We'll learn more about this process later. 


The next component in the architecture of Linux is the shell. This is an important element because it 
is how you will communicate with the system. The shell is a command line interpreter. It processes 
commands and outputs the results. This might sound familiar. Previously, we learned about the two 


types of user interfaces: the GUI and the CLI. You can think of the shell as a CLI. 


Another element of the architecture of Linux is the Filesystem Hierarchy Standard, or FHS. It's the 
component of the Linux OS that organizes data. An easy way for you to think about the FHS is to 
think about it as a filing cabinet of data. The FHS is how data is stored in a system. It's a way to 


organize data so that it can be found when the data is accessed by the system. 


That brings us to the kernel. The kernel is a component of the Linux OS that manages processes 
and memory. The kernel communicates with the hardware to execute the commands sent by the 
shell. The kernel uses drivers to enable applications to execute tasks. The Linux kernel helps ensure 


that the system allocates resources more efficiently and makes the system work faster. 


Finally, the last component of the architecture is the hardware. Hardware refers to the physical 
components of a computer. You can compare this to software applications which can be downloaded 


into a system. The hardware in your computer are things like the CPU, mouse, and keyboard. 


Congratulations! We've now covered the architecture of Linux. An understanding of these 


components will help you become increasingly familiar with Linux. 


Linux architecture explained 


Understanding the Linux architecture is important for a security analyst. When you understand how a 
system is organized, it makes it easier to understand how it functions. In this reading, you'll learn 
more about the individual components in the Linux architecture. A request to complete a task starts 
with the user and then flows through applications, the shell, the Filesystem Hierarchy Standard, the 


kernel, and the hardware. 
User 
The user is the person interacting with a computer. They initiate and manage computer tasks. Linux 


is a multi-user system, which means that multiple users can use the same resources at the same 


time. 


Applications 


An application is a program that performs a specific task. There are many different applications on 
your computer. Some applications typically come pre-installed on your computer, such as calculators 
or calendars. Other applications might have to be installed, such as some web browsers or email 
clients. In Linux, you'll often use a package manager to install applications. A package manager is a 
tool that helps users install, manage, and remove packages or applications. A package is a piece of 


software that can be combined with other packages to form an application. 


Shell 


The shell is the command-line interpreter. Everything entered into the shell is text based. The shell 
allows users to give commands to the kernel and receive responses from it. You can think of the 
shell as a translator between you and your computer. The shell translates the commands you enter 


so that the computer can perform the tasks you want. 


Filesystem Hierarchy Standard (FHS) 


The Filesystem Hierarchy Standard (FHS) is the component of the Linux OS that organizes data. 
It specifies the location where data is stored in the operating system. 

A directory is a file that organizes where other files are stored. Directories are sometimes called 
“folders,” and they can contain files or other directories. The FHS defines how directories, directory 


contents, and other storage is organized so the operating system knows where to find specific data. 


Kernel 


The kernel is the component of the Linux OS that manages processes and memory. It 
communicates with the applications to route commands. The Linux kernel is unique to the Linux OS 
and is critical for allocating resources in the system. The kernel controls all major functions of the 


hardware, which can help get tasks expedited more efficiently. 


Hardware 


The hardware is the physical components of a computer. You might be familiar with some hardware 


components, such as hard drives or CPUs. Hardware is categorized as either peripheral or internal. 


Peripheral devices 


Peripheral devices are hardware components that are attached and controlled by the computer 


system. They are not core components needed to run the computer system. Peripheral devices can 


be added or removed freely. Examples of peripheral devices include monitors, printers, the 


keyboard, and the mouse. 


Internal hardware 


Internal hardware are the components required to run the computer. Internal hardware includes a 


main circuit board and all components attached to it. This main circuit board is also called the 


motherboard. Internal hardware includes the following: 


The Central Processing Unit (CPU) is a computer’s main processor, which is used to 
perform general computing tasks on a computer. The CPU executes the instructions 
provided by programs, which enables these programs to run. 

Random Access Memory (RAM) is a hardware component used for short-term memory. It’s 
where data is stored temporarily as you perform tasks on your computer. For example, if 
you’re writing a report on your computer, the data needed for this is stored in RAM. After 
you’ve finished writing the report and closed down that program, this data is deleted from 
RAM. Information in RAM cannot be accessed once the computer has been turned off. The 
CPU takes the data from RAM to run programs. 

The hard drive is a hardware component used for long-term memory. It’s where programs 
and files are stored for the computer to access later. Information on the hard drive can be 
accessed even after a computer has been turned off and on again. A computer can have 


multiple hard drives. 


Key takeaways 


It’s important for security analysts to understand the Linux architecture and how these components 
are organized. The components of the Linux architecture are the user, applications, shell, Filesystem 
Hierarchy Standard, kernel, and hardware. Each of these components is important in how Linux 


functions. 


Congratulations! You passed! 


Grade received 100% 


To pass 75% or higher 


Question 1 
As a security analyst, you might use Linux to review logs when investigating an issue. 


1/1 point 


True 


False 


Correct 


As a security analyst, you might use Linux to review logs when investigating an issue. Another reason you 


might use Linux is to verify access and authorization. 


Question 2 


Which of the following are components of the Linux architecture? Select all that apply. 


1/1 point 


The kernel 


Correct 


Components of the Linux architecture include applications, the shell, and the kernel. The user, the 


Filesystem Hierarchy Standard (FHS), and hardware are also components of the Linux architecture. 


Applications 


Correct 


Components of the Linux architecture include applications, the shell, and the kernel. The user, the 


Filesystem Hierarchy Standard (FHS), and hardware are also components of the Linux architecture. 


The shell 


Correct 


Components of the Linux architecture include applications, the shell, and the kernel. The user, the 


Filesystem Hierarchy Standard (FHS), and hardware are also components of the Linux architecture. 


The operating system 


Question 3 


Fill in the blank: The Filesystem Hierarchy Standard (FHS) is the component of Linux architecture that 


1/1 point 


manages processes and memory 


consists of the physical components of a computer 


organizes data 


enables people to communicate with the system 


Correct 


The Filesystem Hierarchy Standard (FHS) is the component of the Linux OS that organizes data. 


Question 4 


Which of the following hardware components are peripheral devices? Select all that apply. 


1/1 point 


a printer 


Correct 


Monitors and printers are peripheral devices. Peripheral devices are hardware components that are 
attached and controlled by the computer system. The CPU and RAM are internal hardware. Internal 


hardware are the components required to run the computer. 


a CPU 


a monitor 


Correct 


Monitors and printers are peripheral devices. Peripheral devices are hardware components that are 
attached and controlled by the computer system. The CPU and RAM are internal hardware. Internal 


hardware are the components required to run the computer. 


Linux distributions 


Let's learn a little bit more about Linux and what you need to know about this operating system when 
working as a security analyst. Linux is a very customizable operating system. Unlike other operating 
systems, there are different versions available for you to use. These different versions of Linux are 
called distributions. You might also hear them called distros or flavors of Linux. It's essential for you 
to understand the distribution that you're using so you know what tools and apps are available to 


you. For example, Debian is a distro that has different tools than the Ubuntu distribution. 


Let's use an analogy to describe Linux distributions. Think of the OS as a vehicle. First, we'll start 
with its engine—that would be the kernel. Just as the engine makes a vehicle run, the kernel is the 
most important component of the Linux OS. Because the Linux kernel is open source, anyone can 
take the kernel and modify it to build a new distribution. This is comparable to a vehicle manufacturer 
taking an engine and creating different types of vehicles: trucks, cars, vans, convertibles, busses, 
airplanes, and so on. These different types of vehicles can be compared to different Linux 
distributions. A bus is used to transport lots of people. A truck is used to transport a large number of 


goods across vast distances. An aircraft transports passengers or goods by air. 


Just as each vehicle serves its own purpose, different distributions are used for different reasons. 
Additionally, vehicles all have different components which distinguish them from each other. Aircrafts 
have control panels with buttons and knobs. Regular cars have four tires, but trucks can have more. 
Similarly, different Linux distributions contain different preinstalled programs, user interfaces, and 
much more. A lot of this is based on what the Linux user needs, but some distros are also chosen 


based on preference—the same way a sports car might be chosen as a vehicle. 


The advantage of using Linux as an OS is that you can customize it. Distributions include the Linux 


kernel, utilities, a package management system, and an installer. We learned earlier that Linux is 


open source, and anyone can contribute to adding to the source code. That is how new distributions 


are created. 


All distros are derived from another distro, but there are a few that are considered parent 
distributions. Red Hat® is the parent of CentOS, and Slackware® is the parent of SUSE®. Both 


Ubuntu and KALI LINUX™ are derived from Debian. 


As we continue, we're going to take a look at some of the distributions most commonly used by 


security analysts. The more you understand these distributions, the easier your work will be. 


KALI LINUX ™ 


In this section, we're going to cover a Linux distribution that's widely used in security and discuss 
KALI LINUX™. KALI LINUX™ is a trademark of Offensive Security and is Debian derived. This 
open-source distro was made specifically with penetration testing and digital forensics in mind. 
There are many tools pre-installed into KALI LINUX™ . It's important to note that KALI LINUX™ 
should be used on a virtual machine. This prevents damage to your system in the event its tools are 
used improperly. An additional benefit is that using a virtual machine gives you the ability to revert to 
a previous state. 

As security professionals advance in their careers, some specialize in penetration testing. A 
penetration test is a simulated attack that helps identify vulnerabilities in systems, networks, 
websites, applications, and processes. KALI LINUX™ has numerous tools that are useful during 
penetration testing. Let's look at a few examples. 

To begin, Metasploit can be used to look for and exploit vulnerabilities on machines. Burp Suite is 
another tool that helps to test for weaknesses in web applications. And finally, John the Ripper is a 
tool used to guess passwords. As a security analyst, your work might involve digital forensics. Digital 
forensics is the process of collecting and analyzing data to determine what has happened after an 
attack. For example, you might take an investigative look at data related to network activity. KALI 
LINUX™ is also a useful distribution for security professionals who are involved in digital forensic 


work. It has a large number of tools that can be used for this. As one example, tcpdump is a 


command-line packet analyzer. It's used to capture network traffic. Another tool commonly used in 
the security profession is Wireshark. It has a graphical user interface that can be used to analyze 
live and captured network traffic. And as a final example, Autopsy is a forensic tool used to analyze 
hard drives and smartphones. These are just a few tools included with KALI LINUX™. This 
distribution has many tools used to conduct pen testing and digital forensics. 

We've explored how KALI LINUX™ is an important distribution that's widely used in security, but 
there are other distributions that security professionals use as well. Next we'll explore a few more 


distributions. 


More Linux distributions 


Previously, you were introduced to the different distributions of Linux. This included KALI LINUX ™. 
(KALI LINUX ™ is a trademark of OffSec.) In addition to KALI LINUX ™, there are multiple other 
Linux distributions that security analysts should be familiar with. In this reading, you'll learn about 


additional Linux distributions. 


KALI LINUX ™ 


KALI LINUX ™ is an open-source distribution of Linux that is widely used in the security industry. 
This is because KALI LINUX ™, which is Debian-based, is pre-installed with many useful tools for 
penetration testing and digital forensics. A penetration test is a simulated attack that helps identify 
vulnerabilities in systems, networks, websites, applications, and processes. Digital forensics is the 
practice of collecting and analyzing data to determine what has happened after an attack. These are 
key activities in the security industry. 


However, KALI LINUX ™ is not the only Linux distribution that is used in cybersecurity. 


Ubuntu 


Ubuntu is an open-source, user-friendly distribution that is widely used in security and other 
industries. It has both a command-line interface (CLI) and a graphical user interface (GUI). Ubuntu is 


also Debian-derived and includes common applications by default. Users can also download many 


more applications from a package manager, including security-focused tools. Because of its wide 
use, Ubuntu has an especially large number of community resources to support users. 
Ubuntu is also widely used for cloud computing. As organizations migrate to cloud servers, 


cybersecurity work may more regularly involve Ubuntu derivatives. 


Parrot 


Parrot is an open-source distribution that is commonly used for security. Similar to KALI LINUX ™, 
Parrot comes with pre-installed tools related to penetration testing and digital forensics. Like both 
KALI LINUX ™ and Ubuntu, it is based on Debian. 

Parrot is also considered to be a user-friendly Linux distribution. This is because it has a GUI that 


many find easy to navigate. This is in addition to Parrot’s CLI. 


Red Hat® Enterprise Linux® 


Red Hat Enterprise Linux is a subscription-based distribution of Linux built for enterprise use. Red 
Hat is not free, which is a major difference from the previously mentioned distributions. Because it’s 
built and supported for enterprise use, Red Hat also offers a dedicated support team for customers 


to call about issues. 


CentOS 


CentOS is an open-source distribution that is closely related to Red Hat. It uses source code 
published by Red Hat to provide a similar platform. However, CentOS does not offer the same 


enterprise support that Red Hat provides and is supported through the community. 


Key takeaways 


KALI LINUX ™, Ubuntu, Parrot, Red Hat, and CentOS are all widely used Linux distributions. It’s 
important for security analysts to be aware of these distributions that they might encounter in their 


career. 


Package managers for installing applications 


Previously, you learned about Linux distributions and that different distributions derive from different 
sources, such as Debian or Red Hat Enterprise Linux distribution. You were also introduced to 
package managers, and learned that Linux applications are commonly distributed through package 


managers. In this reading, you'll apply this knowledge to learn more about package managers. 


Introduction to package managers 


A package is a piece of software that can be combined with other packages to form an application. 
Some packages may be large enough to form applications on their own. 

Packages contain the files necessary for an application to be installed. These files include 
dependencies, which are supplemental files used to run an application. 

Package managers can help resolve any issues with dependencies and perform other management 
tasks. A package manager is a tool that helps users install, manage, and remove packages or 
applications. Linux uses multiple package managers. 

Note: It’s important to use the most recent version of a package when possible. The most recent 
version has the most up-to-date bug fixes and security patches. These help keep your system more 


secure. 


Types of package managers 


Many commonly used Linux distributions are derived from the same parent distribution. For 
example, KALI LINUX ™, Ubuntu, and Parrot all come from Debian. CentOS comes from Red Hat. 
This knowledge is useful when installing applications because certain package managers work with 


certain distributions. For example, the Red Hat Package Manager (RPM) can be used for Linux 


distributions derived from Red Hat, and package managers such as dpkg can be used for Linux 
distributions derived from Debian. 

Different package managers typically use different file extensions. For example, Red Hat Package 
Manager (RPM) has files which use the . rpm file extension, such as 

Package-Version-Release Architecture. rpm. Package managers for Debian-derived Linux 
distributions, such as dpkg, have files which use the . deb file extension, such as 


Package Version-Release Architecture.deb. 


Package management tools 


In addition to package managers like RPM and dpkg, there are also package management tools that 
allow you to easily work with packages through the shell. Package management tools are 
sometimes utilized instead of package managers because they allow users to more easily perform 
basic tasks, such as installing a new package. Two notable tools are the Advanced Package Tool 


(APT) and Yellowdog Updater Modified (YUM). 
Advanced Package Tool (APT) 


APT is a tool used with Debian-derived distributions. It is run from the command-line interface to 
manage, search, and install packages. 
Yellowdog Updater Modified (YUM) 


YUM is a tool used with Red Hat-derived distributions. It is run from the command-line interface to 


manage, search, and install packages. YUM works with . rpm files. 


Key takeaways 


A package is a piece of software that can be combined with other packages to form an application. 
Packages can be managed using a package manager. There are multiple package managers and 
package management tools for different Linux distributions. Package management tools allow users 


to easily work with packages through the shell. Debian-derived Linux distributions use package 


managers like dpkg as well as package management tools like Advanced Package Tool (APT). Red 
Hat-derived distributions use the Red Hat Package Manager (RPM) or tools like Yellowdog Updater 
Modified (YUM). 


Congratulations! You passed! 


Grade received 100% 


To pass 75% or higher 


Question 1 


Fill in the blank: Because the is open source, anyone can modify it to build new Linux distributions. 


1/1 point 


shell 
kernel 
hardware 


application 


Correct 


Because the kernel is open source, anyone can modify it to build new Linux distributions. The kernel is 


the component of the Linux OS that manages processes and memory. 


Question 2 


What is KALI LINUX ™? 


(KALI LINUX ™ is a trademark of OffSec.) 


1/1 point 


A subscription-based Linux distribution built for enterprise use 


A tool used to guess passwords 


A Debian-derived, open-source distribution of Linux designed for security tasks 


A tool with a graphical user interface that can be used to analyze live and captured network traffic 


Correct 


KALI LINUX ™ is a Debian-derived, open-source distribution of Linux designed for security tasks, such as 


penetration testing and digital forensics. 


Question 3 


What is an open-source, user-friendly distribution derived from Debian that is widely used in security and 


other industries? 


1/1 point 


Red Hat 


tcpdump 


Autopsy 


Ubuntu 


Correct 


Ubuntu is an open-source, user-friendly distribution derived from Debian that is widely used in security 
and other industries. Because of its wide use, Ubuntu has a large number of community resources to 


support users. 


Question 4 


Which of the following are distributions of Linux? Select all that apply. 


1/1 point 


Parrot 


Correct 


Red Hat, CentOS, and Parrot are all distributions of Linux. 


Pen Test 


CentOS 


Correct 


Red Hat, CentOS, and Parrot are all distributions of Linux. 


Red Hat 


Correct 


Red Hat, CentOS, and Parrot are all distributions of Linux. 


Introduction to the shell 


Welcome back! In this video, we're going to discuss the Linux shell. This part of the Linux 
architecture is where the action will happen for you as a security analyst. We introduced the shell 
with other components of the Linux OS earlier, but let's take a deeper look at what the shell is and 


what it does. 


The shell is the command-line interpreter. That means it helps you communicate with the operating 
system through the command line. Previously, we discussed a command-line interface. This is 
essentially the shell. The shell provides the command-line interface for you to interact with the OS. 
To tell the OS what to do, you enter commands into this interface. A command is an instruction 
telling the computer to do something. The shell communicates with the kernel to execute these 
commands. 

Earlier, we discussed how the operating system helps humans and computers speak with each 
other. The shell is the part of the OS that allows you to do this. Think of this as a very helpful 
language interpreter between you and your system. Since you do not speak computer language or 
binary, you can't directly communicate with your system. This is where the shell comes in to help 
you. Your OS doesn't need the shell for most of its work, but it is an interface between you and what 
your system can offer. It allows you to perform math, run tests, and execute applications. More 
importantly, it allows you to combine these operations and connect applications to each other to 
perform complex and automated tasks. 

Just as there are many Linux distributions, there are many different types of shells. We'll primarily 


focus on the Bash shell in this course. Let's continue to learn more about the shell. 


Different types of shells 


Knowing how to work with Linux shells is an important skill for cybersecurity professionals. Shells 
can be used for many common tasks. Previously, you were introduced to shells and their functions. 
This reading will review shells and introduce you to different types, including the one that you'll use 


in this course. 


Communicate through a shell 


As you explored previously, the shell is the command-line interpreter. You can think of a shell as a 
translator between you and the computer system. Shells allow you to give commands to the 
computer and receive responses from it. When you enter a command into a shell, the shell executes 


many internal processes to interpret your command, send it to the kernel, and return your results. 


Types of shells 


The many different types of Linux shells include the following: 
e Bourne-Again Shell (bash) 
e C Shell (csh) 
e Korn Shell (ksh) 
e Enhanced C shell (tcsh) 


e Z Shell (zsh) 


All Linux shells use common Linux commands, but they can differ in other features. For example, 
ksh and bash use the dollar sign ($) to indicate where users type in their commands. Other shells, 


such as zsh, use the percent sign (%) for this purpose. 


Bash 


Bash is the default shell in most Linux distributions. It’s considered a user-friendly shell. You can use 
bash for basic Linux commands as well as larger projects. 
Bash is also the most popular shell in the cybersecurity profession. You'll use bash throughout this 


course as you learn and practice Linux commands. 


Key takeaways 


Shells are a fundamental part of the Linux operating system. Shells allow you to give commands to 
the computer and receive responses from it. They can be thought of as a translator between you and 
your computer system. There are many different types of shells, but the bash shell is the most 
commonly used shell in the cybersecurity profession. You'll learn how to enter Linux commands 


through the bash shell later in this course. 


Input and output in the shell 


Hello again! In this video, we're going to learn a little more about the shell and how to communicate 
with it. Communicating with a computer is like having a conversation with your friend. One person 
asks a question and the other person answers with a response. If you don't know the answer, you 
can just say you don't know the answer. When you communicate with the shell, the commands in the 
shell can take input, give output, or give error messages. 

Let's explore standard input, standard output, and error messages in more detail. Standard input 
consists of information received by the OS via the command line. This is like you asking your friend 
a question during a conversation. The information is input from your keyboard to the shell. If the shell 
can interpret your request, it asks the kernel for the resources it needs to execute the related task. 
Let's take a look at this through echo, a Linux command that outputs a specified string of text. String 
data is data consisting of an ordered sequence of characters. In our example, we'll just have it output 
the string of: hello. So, as input, we'll type: echo hello into the shell. Later, when we press enter, we'll 
get the output. But before we do that, let's first discuss the concept of output in more detail. 

Standard output is the information returned by the OS through the shell. In the same way that your 
friend gives an answer to your question, output is a computer's response to the command you input. 
Output is what you receive. Let's pick up where we left off in our example and send the input of: 
echo hello to the OS by pressing enter. Immediately, the shell returns the output of: hello. 

Finally, standard error contains error messages returned by the OS through the shell. Just like your 
friend might indicate that they can't answer a question, the system responds with an error message if 
they can't respond to your command. Sometimes this might occur when we misspell a command or 
the system doesn't know the response to the command. Other times, it might happen because we 
don't have the appropriate permissions to perform a command. 

We'll explore another example that demonstrates standard error. Let's input: eco hello into the shell. 
Notice | intentionally misspelled echo as e-c-o. When we press enter, an error message appears. 

To wrap up, we've covered the basics of communication with the shell. Communication with the shell 


can only go in one of three ways: the system receives a command—this is input; the system 


responds to the command and produces output; and finally, the system doesn't know how to 
respond, resulting in an error. Later, you'll become much more familiar with this as we explore 


commands useful for security professionals. 


Congratulations! You passed! 


Grade received 100% 


To pass 75% or higher 


Question 1 


What is the shell? 


1/1 point 


An instruction telling the computer to do something 
Information received by the operating system (OS) via the command line 
Data consisting of an ordered sequence of characters 


The command-line interpreter 


Correct 


The shell is the command-line interpreter. It processes commands and outputs the results. 


Question 2 


After a user inputs a command into the shell, what can the shell return to the user? Select two answers. 


1/1 point 


Output 


Correct 


After a user inputs a command into the shell, the shell can return output or an error message to the user. 
Output is the computer's response to the user's input. An error message occurs when the shell cannot 


interpret the input. 


A request for user approval 


A request for more input from the user 


An error message 


Correct 


After a user inputs a command into the shell, the shell can return output or an error message to the user. 
Output is the computer's response to the user's input. An error message occurs when the shell cannot 


interpret the input. 


Question 3 


What is standard error in Linux? 


1/1 point 


A Linux command that outputs a specified string of text 


Error messages returned by the operating system through the shell 


Information returned by the operating system through the shell 


Information received by the operating system via the command line 


Correct 


Standard error contains error messages returned by the OS through the shell. 


Question 4 


What is the difference between standard input and standard output? 


1/1 point 


Standard input is sent from the operating system. Standard output is sent to the operation system. 


Standard input is sent to the operating system. Standard output is sent from the operating system. 


Standard input is sent to the Filesystem Hierarchy Standard (FHS). Standard output is sent from the FHS. 


Standard input is sent from the Filesystem Hierarchy Standard (FHS). Standard output is sent to the FHS. 


Correct 


Standard input is sent to the operating system. Standard output is sent from the operating system. 


Wrap-up 


We've made it to the end of this section. Great work! Let's recap what you've just completed. 

In this section, you learned about the Linux operating system. We examined the architecture of 
Linux. In our exploration of the different distributions of Linux, we discussed some of the most widely 
used distros in security. You were introduced to KALI LINUX™, Ubuntu, Parrot, Red Hat, and 
CentOS distributions. Finally, you learned about the shell and its role as an interpreter between the 
user and operating system. 

Congratulations! You're doing great, and we have more useful topics to come. In the next part of the 
program, you'll learn specific commands to use within the shell while working as a security analyst. 


Let's continue on. 


Glossary terms from module 2 


Terms and definitions from Course 4, Module 2 


Application: A program that performs a specific task 


Bash: The default shell in most Linux distributions 


CentOS: An open-source distribution that is closely related to Red Hat 

Central Processing Unit (CPU): A computer’s main processor, which is used to perform general 
computing tasks on a computer 

Command: An instruction telling the computer to do something 

Digital forensics: The practice of collecting and analyzing data to determine what has happened 
after an attack 

Directory: A file that organizes where other files are stored 

Distributions: The different versions of Linux 

File path: The location of a file or directory 

Filesystem Hierarchy Standard (FHS): The component of the Linux OS that organizes data 
Graphical user interface (GUI): A user interface that uses icons on the screen to manage different 
tasks on the computer 

Hard drive: A hardware component used for long-term memory 

Hardware: The physical components of a computer 

Internal hardware: The components required to run the computer 

Kali Linux ™: An open-source distribution of Linux that is widely used in the security industry 
Kernel: The component of the Linux OS that manages processes and memory 

Linux: An open source operating system 

Package: A piece of software that can be combined with other packages to form an application 
Package manager: A tool that helps users install, manage, and remove packages or applications 
Parrot: An open-source distribution that is commonly used for security 

Penetration test (pen test): A simulated attack that helps identify vulnerabilities in systems, 
networks, websites, applications, and processes 

Peripheral devices: Hardware components that are attached and controlled by the computer 
system 

Random Access Memory (RAM): A hardware component used for short-term memory 

Red Hat® Enterprise Linux® (also referred to simply as Red Hat in this course): A 
subscription-based distribution of Linux built for enterprise use 


Shell: The command-line interpreter 


Standard error: An error message returned by the OS through the shell 

Standard input: Information received by the OS via the command line 

Standard output: Information returned by the OS through the shell 

String data: Data consisting of an ordered sequence of characters 

Ubuntu: An open-source, user-friendly distribution that is widely used in security and other 
industries 


User: The person interacting with a computer 


Welcome to module 3 


Learning to communicate in a new way can be exciting. Maybe you've learned a new language and 
can remember this feeling. Perhaps a lot of us share this excitement with young children as they are 
expanding their vocabulary. Others, including me, remember a sense of wonder when we first used a 
specialized language to communicate with their computer. In this section, we'll continue to learn 
more about Linux and how to communicate with the OS through its shell. 

You'll utilize the command line to communicate with the OS. You'll learn how to input commands in 
the shell and learn about some of the core Linux commands that you'll use as a security analyst. 
Specifically, this includes navigating and managing the file system. You'll also focus on 
authenticating and authorizing users. This means you'll be able to use a command line to add and 
delete users from the system and to control what they have access to. Finally, there's always more 
to learn. We'll cover accessing resources that support learning new Linux commands. 

| remember when | first learned about the command line and was shocked at the capabilities it 
provided. | didn't need to click through multiple screens to get tasks done. Although it took some 
practice and time to get used to, it has been one of the biggest tools at my disposal. After this 
section, you'll have a practical experience in an area important to the work of a security analyst: 


using Linux commands. 


Linux commands via the Bash shell 


Welcome back. Before we get into specific Linux commands, let's explore in more detail the basics 
of communicating with the OS through the shell. Being able to utilize Linux commands is a 
foundational skill for all security professionals. As a security analyst, you will work with server logs 
and you'll need to know how to navigate, manage and analyze files remotely without a graphical user 
interface. In addition, you'll need to know how to verify and configure users and group access. You'll 
also need to give authorization and set file permissions. That means that developing skills with the 
command line is essential for your work as a security analyst. When we learned about the Linux 
architecture, we learned that the shell is one of the main components of an operating system. We 
also learned that there are different shells. In this section, we'll utilize the Bash shell. 

Bash is the default shell in most Linux distributions. For the most part, the key Linux commands that 
you'll be learning in this section are the same across shells. Now that you know what shell you'll be 
using, let's go into how to write in Bash. As we discussed in a previous section, communicating with 
your OS is like a conversation. You type in commands, and the OS responds with an answer to your 
command. A command is an instruction telling the computer to do something. 

We'll try out a command in Bash. Notice a dollar sign before the cursor. This is your prompt to enter 
a new command. Some commands might tell the computer to find something like a specific file. 
Others might tell it to launch a program. Or, it might be to output a specific string of text. In the last 
section, when we discussed input and output, we explored how the echo command did this. 

Let's input the echo command again. You may notice that the command we just input is not 
complete. If we're going to use the echo command to output a specific string of texts, we need to 
specify what the string of text is. This is what arguments are for. An argument is specific information 
needed by a command. Some commands take multiple arguments. So now let's complete the echo 
command with an argument. We're learning some pretty technical stuff, so how about we output the 
words: "You are doing great!" We'll add this argument, and then we'll press enter to get the output. 
In this example, our argument was a string of text. Arguments can provide other types of information 
as well. One thing that is really important in Linux is that all commands and arguments are case 
sensitive. This includes file and directory names. Keep that in mind as you learn more about how to 


use Linux in your day-to-day tasks as a security analyst. Okay, now that we've covered the basics of 


entering Linux commands and arguments through the Bash shell, we're ready to learn some specific 


commands. This is exciting, so let's get to our next video! 


Core commands for navigation and reading 


files 


Welcome back. | hope you're learning a lot about how to communicate with the Linux OS. As we 
continue our journey into utilizing the Linux command line, we'll focus on how to navigate the Linux 
file system. 

Now, | want you to imagine a tree. What did you notice first about the tree? Would you say the trunk 
or the branches? These might definitely get your attention, but what about its roots? Everything 
about a tree starts in the roots. Something similar happens when we think about the Linux file 
system. 

Previously, we learned about the components of the Linux architecture. The Filesystem Hierarchy 
Standard, or FHS, is the component of the Linux OS that organizes data. This file system is a very 
important part of Linux because everything we do in Linux is considered a file somewhere in the 
system's directory. The FHS is a hierarchical system, and just like with a tree, everything grows and 
branches out from the root. The root directory is the highest-level directory in Linux. It's designated 
by a single slash. Subdirectories branch off from the root directory. The subdirectories branch out 
further and further away from the root directory. When describing the directory structure in Linux, 
slashes are used when tracing back through these branches to the root. For example, here, the first 
slash indicates the root directory. Then it branches out a level into the home subdirectory. Another 
slash indicates it is branching out again. This time it's to the analyst subdirectory that is located 
within home. When working in security, it is essential that you learn to navigate a file system to 
locate and analyze logs, such as log files. You'll analyze these log files for application usage and 
authentication. 

With that background, we're now ready to learn the commands commonly used for navigating the file 
system. First, pwd prints the working directory onto the screen. When you use this command, the 


output tells you which directory you're currently in. Next, Is displays the names of files and directories 


in the current working directory. And finally, cd navigates between directories. This is the command 
you'll use when you want to change directories. 

Let's use these commands in Bash. First, we'll type the command pwd to display the current location 
and then press enter. The output is the path to the analyst directory where we're currently working. 
Next, let's input Is to display the files and directories within the analyst directory. The output is the 
name of four directories: logs, oldreports, projects, and reports, and one file named updates.txt. So 
let's say we now want to go into the logs directory to check for unauthorized access. We'll input: cd 
logs to change directories. We won't get any output on the screen from the cd command, but if we 
enter pwd again, its output indicates that the working directory is logs. Logs is a subdirectory of the 
analyst directory. 

As a security analyst, you'll also need to know how to read file content in Linux. For example, you 
may need to read files that contain configuration settings to identify potential vulnerabilities. Or, you 
might look at user access reports while investigating unauthorized access. When reading file 
content, there are some commands that will help you. First, cat displays the content of a file. This is 
useful, but sometimes you won't want the full contents of a large file. In these cases, you can use the 
head command. It displays just the beginning of a file, by default ten lines. 

Let's try out these commands. Imagine that we want to read the contents of access.txt, and we're 
already in the working directory where it's located. First, we input the cat command and then follow it 
with the name of the file, access.txt. And Bash returns the full contents of this file. Let's compare that 
to the head command. When we input the head command followed by our file name, only the first 10 
lines of this file are displayed. 

Wow, this section had lots of action, and it's just the beginning! I'm glad you learned how security 
analysts can use essential commands to navigate the system. Next, we'll explore how to manage the 


system. 


Navigate Linux and read file content 


In this reading, you'll review how to navigate the file system using Linux commands in Bash. You'll 
further explore the organization of the Linux Filesystem Hierarchy Standard, review several common 


Linux commands for navigation and reading file content, and learn a couple of new commands. 


Filesystem Hierarchy Standard (FHS) 


Previously, you learned that the Filesystem Hierarchy Standard (FHS) is the component of Linux 
that organizes data. The FHS is important because it defines how directories, directory contents, and 
other storage is organized in the operating system. 


This diagram illustrates the hierarchy of relationships under the FHS: 


analyst2 


Under the FHS, a file’s location can be described by a file path. A file path is the location of a file or 


directory. In the file path, the different levels of the hierarchy are separated by a forward slash (/). 
Root directory 


The root directory is the highest-level directory in Linux, and it’s always represented with a forward 
slash (/). All subdirectories branch off the root directory. Subdirectories can continue branching out 


to as many levels as necessary. 


Standard FHS directories 


Directly below the root directory, you'll find standard FHS directories. In the diagram, home, bin, and 
etc are standard FHS directories. Here are a few examples of what standard directories contain: 

e /home: Each user in the system gets their own home directory. 

e /bin: This directory stands for “binary” and contains binary files and other executables. 
Executables are files that contain a series of commands a computer needs to follow to run 
programs and perform other functions. 

e /etc: This directory stores the system’s configuration files. 

e /tmp: This directory stores many temporary files. The /tmp directory is commonly used by 


attackers because anyone in the system can modify data in these files. 


e /mnt: This directory stands for “mount” and stores media, such as USB drives and hard 


drives. 


Pro Tip: You can use the man hier command to learn more about the FHS and its standard 


directories. 


User-specific subdirectories 


Under home are subdirectories for specific users. In the diagram, these users are analyst and 
analyst2. Each user has their own personal subdirectories, such as projects, logs, or 
reports. 

Note: When the path leads to a subdirectory below the user’s home directory, the user’s home 
directory can be represented as the tilde (~). For example, /home/analyst/logs can also be 
represented as ~/logs. 

You can navigate to specific subdirectories using their absolute or relative file paths. The absolute 
file path is the full file path, which starts from the root. For example, /home/analyst/projects is 
an absolute file path. The relative file path is the file path that starts from a user's current directory. 
Note: Relative file paths can use a dot (.) to represent the current directory, or two dots (. .) to 
represent the parent of the current directory. An example of a relative file path could be 


../projects. 


Key commands for navigating the file system 


The following Linux commands can be used to navigate the file system: pwd, 1s, and cd. 


pwd 


The pwd command prints the working directory to the screen. Or in other words, it returns the 
directory that you’re currently in. 

The output gives you the absolute path to this directory. For example, if you’re in your home directory 
and your username is analyst, entering pwd returns /home/analyst. 

Pro Tip: To learn what your username is, use the whoami command. The whoami command returns 
the username of the current user. For example, if your username is analyst, entering whoami 


returns analyst. 


Is 


The 1s command displays the names of the files and directories in the current working directory. For 
example, in the video, 1s returned directories such as logs, and a file called updates. txt. 


Note: If you want to return the contents of a directory that’s not your current working directory, you 


can add an argument after 1s with the absolute or relative file path to the desired directory. For 
example, if you’re in the /home/analyst directory but want to list the contents of its projects 


subdirectory, you can enter 1s /home/analyst/projects or justls projects. 


cd 


The cd command navigates between directories. When you need to change directories, you should 
use this command. 

To navigate to a subdirectory of the current directory, you can add an argument after cd with the 
subdirectory name. For example, if you’re in the /home/analyst directory and want to navigate to 


its projects subdirectory, you can enter cd projects. 


You can also navigate to any specific directory by entering the absolute file path. For example, if 


you're in /home/analyst/projects, entering cd /home/analyst/logs changes your current 
directory to /home/analyst/logs. 

Pro Tip: You can use the relative file path and enter cd .. to go up one level in the file structure. 
For example, if the current directory is /home/analyst/projects, entering cd .. would change 


your working directory to /home/analyst. 


Common commands for reading file content 


The following Linux commands are useful for reading file content: cat, head, tail, and less. 


cat 


The cat command displays the content of a file. For example, entering cat updates. txt returns 


everything in the updates. txt file. 


head 


The head command displays just the beginning of a file, by default 10 lines. The head command 


can be useful when you want to know the basic contents of a file but don’t need the full contents. 


Entering head updates . txt returns only the first 10 lines of the updates. txt file. 
Pro Tip: If you want to change the number of lines returned by head, you can specify the number of 
lines by including -n. For example, if you only want to display the first five lines of the updates. txt 


file, enter head -n 5 updates.txt. 


tail 
The tail command does the opposite of head. This command can be used to display just the end 
of a file, by default 10 lines. Entering tail updates.txt returns only the last 10 lines of the 


updates. txt file. 


Pro Tip: You can use tail to read the most recent information in a log file. 


less 


The less command returns the content of a file one page at a time. For example, entering less 
updates. txt changes the terminal window to display the contents of updates. txt one page ata 


time. This allows you to easily move forward and backward through the content. 
Once you’ve accessed your content with the less command, you can use several keyboard controls 
to move through the file: 

e Space bar: Move forward one page 

e b: Move back one page 

e Down arrow: Move forward one line 


e Up arrow: Move back one line 


q: Quit and return to the previous terminal window 


Key takeaways 


It’s important for security analysts to be able to navigate Linux and the file system of the FHS. Some 


key commands for navigating the file system include pwd, 1s, and cd. Reading file content is also an 
important skill in the security profession. This can be done with commands such as cat, head, 


tail, and less. 
Congratulations! You passed! 


Grade received 100% 


To pass 75% or higher 


Question 1 


What is a command? 


1/1 point 


An instruction that tells a computer to do something 


A component of the Linux architecture 


A common shell in many Linux distributions 


The highest-level directory in Linux 


Correct 


A command is an instruction that tells a computer to do something. 


Question 2 


Which of the following commands prints the working directory to the screen? 


1/1 point 


ls 


head 


pwd 


cat 


Correct 


The pwd command prints the working directory to the screen. 


Question 3 


What does the ed command do? 


1/1 point 


Outputs a specified string of text 


Prints the working directory to the screen 


Navigates between directories 


Displays the names of files in the current directory 


Correct 


The ed command navigates between directories. 


Question 4 


A security professional enters head access.txt into a shell. What are they telling the operating system 


to do? 


1/1 point 


Display the first 10 lines of access. txt 


Return the content of access. txt one page atime 


Remove the first 5 lines of access. txt 


Add a header to the file named access. txt 


Correct 


They are telling the operating system to display the first 10 lines of access. txt. The head command 


displays just the beginning of a file, by default 10 lines. 


Question 5 


What is the difference between an absolute file path and a relative file path? 


1/1 point 


An absolute file path ends with a backslash (\), and a relative file path ends with a forward slash (/). 


An absolute file path ends with a forward slash (/), and a relative file path ends with a backslash (\). 
An absolute file path starts from the current directory, and a relative file path starts from the root. 


An absolute file path starts from the root, and a relative file path starts from the current directory. 


Correct 


An absolute file path is the full file path that starts from the root, and a relative file path is a shorter file 


path that starts from the current directory. 


Find what you need with Linux 


Now that we covered: pwd, Is, and cd and are familiar with these basic commands for navigating the 
Linux file system, let's look at a couple of ways to find what you need within this system. As a 
security analyst, your work will likely involve filtering for the information you need. Filtering means 
searching your system for specific information that can help you solve complex problems. For 
example, imagine that your team determines a piece of malware contains a string of characters. You 
might be tasked with finding other files with the same string to determine if those files contain the 
same malware. Later, we'll learn more about how you can use SQL to filter a database, but Linux is 
a good place to start basic filtering. 

First, we'll start with grep. The grep command searches a specified file and returns all lines in the file 
containing a specified string. Here's an example of this. Let's say we have a file called updates. txt, 


and we're currently looking for lines that contain the word: OS. If the file is large, it would take a long 


time to visually scan for this. Instead, after navigating to the directory that contains updates.txt, we'll 
type the command: grep OS updates.txt into the shell. Notice how the grep command is followed by 
two arguments. The first argument is the string we're searching for; in this case, OS. The second 
argument is the name of the file we're searching through, updates.txt. When we press enter, Bash 
returns all lines containing the word OS. 

Now let's talk about piping. Piping is a Linux command that can be used for a variety of purposes. In 
a moment, we'll focus on how it can be used for filtering. But first, let's talk about the general idea of 
piping. The piping command sends a standard output of one command as standard input into 
another command for further processing. It's represented by the vertical bar character. In our 
context, we can refer to this as the pipe character. Take a moment and imagine a physical pipe. 
Physical pipes have two ends. On one end, for example, water might enter the pipe from a hot water 
tank. Then, it travels through the pipe and comes out on the other end in a sink. Similarly, in Linux, 
piping also involves redirection. Output from one command is sent through the pipe and then is used 
on the other side of the pipe. Earlier in this video, | explained how grep can be used to filter for 
strings of characters within a file. Grep can also be incorporated after a pipe. 

Let's focus on this example. The first command, Is, instructs the operating system to output the file 
and directory contents of their reports subdirectory. But because the command is followed by the 
pipe, the output isn't returned to the screen. Instead, it's sent to the next command. As we just 
learned, grep searches for a specified string of characters; in this case, it's users. But where is it 
searching? Since grep follows a pipe, the output of the previous command indicates where to 
search. In this case, that output is a list of files and directories within the reports subdirectory. It will 
return all files and directories that contain the word: users. 

Let's explore this in Bash. So we can better understand how the filter works, let's first output 
everything in the reports directory. If we were already in the directory, we would just need to input Is. 
But since we're not, we'll also specify the path to this directory. When we press enter, the output 
indicates there are seven files in the reports directory. Because we want to return only the files that 
contain the word users, we'll combine this Is command with piping and the grep command. As the 
output demonstrates, Linux has been instructed to return only files that contain the word users. The 


two files that don't contain this string no longer appear. 


So now you have two different ways that you can filter in Linux while working as an analyst. 
Navigating through files and filtering are just part of what you need to know. Let's keep exploring the 


Linux command line. 


Filter content in Linux 


In this reading, you'll continue exploring Linux commands, which can help you filter for the 


information you need. You'll learn a new Linux command, find, which can help you search files and 


directories for specific information. 


Filtering for information 


You previously explored how filtering for information is an important skill for security analysts. 
Filtering is selecting data that match a certain condition. For example, if you had a virus in your 


system that only affected the . txt files, you could use filtering to find these files quickly. Filtering 


allows you to search based on specific criteria, such as file extension or a string of text. 


grep 


The grep command searches a specified file and returns all lines in the file containing a specified 
string. The grep command commonly takes two arguments: a specific string to search for and a 
specific file to search through. 

For example, entering grep OS updates.txt returns all lines containing OS in the updates. txt 
file. In this example, OS is the specific string to search for, and updates. txt is the specific file to 


search through. 


Piping 
The pipe command is accessed using the pipe character (|). Piping sends the standard output of 


one command as standard input to another command for further processing. As a reminder, 


standard output is information returned by the OS through the shell, and standard input is 
information received by the OS via the command line. 

The pipe character (|) is located in various places on a keyboard. On many keyboards, it’s located 
on the same key as the backslash character (\). On some keyboards, the | can look different and 
have a small space through the middle of the line. If you can’t find the |, search online for its location 
on your particular keyboard. 

When used with grep, the pipe can help you find directories and files containing a specific word in 
their names. For example, 1s /home/analyst/reports | grep users returns the file and 
directory names in the reports directory that contain users. Before the pipe, 1s indicates to list 
the names of the files and directories in reports. Then, it sends this output to the command after 
the pipe. In this case, grep users returns all of the file or directory names containing users from 
the input it received. 

Note: Piping is a general form of redirection in Linux and can be used for multiple tasks other than 
filtering. You can think of piping as a general tool that you can use whenever you want the output of 


one command to become the input of another command. 


find 


The £ind command searches for directories and files that meet specified criteria. There’s a wide 
range of criteria that can be specified with find. For example, you can search for files and 
directories that 

e Contain a specific string in the name, 

e Are a certain file size, or 


e Were last modified within a certain time frame. 


When using find, the first argument after find indicates where to start searching. For example, 
entering find /home/analyst/projects searches for everything starting at the projects 


directory. 


After this first argument, you need to indicate your criteria for the search. If you don’t include a 
specific search criteria with your second argument, your search will likely return a lot of directories 
and files. 

Specifying criteria involves options. Options modify the behavior of a command and commonly 


begin with a hyphen (-). 
-name and -iname 


One key criteria analysts might use with find is to find file or directory names that contain a specific 
string. The specific string you’re searching for must be entered in quotes after the -name or -iname 
options. The difference between these two options is that -name is case-sensitive, and -iname is 


not. 


For example, you might want to find all files in the projects directory that contain the word “log” in 
the file name. To do this, you’d enter find /home/analyst/projects -name "*log*". You 
could also enter find /home/analyst/projects -iname "*log*". 

In these examples, the output would be all files in the projects directory that contain log 
surrounded by zero or more characters. The "*Log*" portion of the command is the search criteria 
that indicates to search for the string “log”. When -name is the option, files with names that include 
Log or LOG, for example, wouldn’t be returned because this option is case-sensitive. However, they 
would be returned when -iname is the option. 


Note: An asterisk (*) is used as a wildcard to represent zero or more unknown characters. 


-mtime 


Security analysts might also use find to find files or directories last modified within a certain time 
frame. The -mtime option can be used for this search. For example, entering find 
/home/analyst/projects -mtime -3 returns all files and directories in the projects 


directory that have been modified within the past three days. 


The -mtime option search is based on days, so entering -mtime +1 indicates all files or directories 
last modified more than one day ago, and entering -mtime -1 indicates all files or directories last 
modified less than one day ago. 

Note: The option -mmin can be used instead of -mtime if you want to base the search on minutes 


rather than days. 


Key takeaways 


Filtering for information using Linux commands is an important skill for security analysts so that they 
can customize data to fit their needs. Three key Linux commands for this are grep, piping (|), and 


find. These commands can be used to navigate and filter for information in the file system. 


Create and modify directories and files 


Let's make some branches! What do | mean by that? Well, in a previous video, we discussed root 
directories and how other subdirectories branch off of the root directory. Let's think again about the 
file directory system as a tree. The subdirectories are the branches of the tree. They're all connected 
from the same root but can grow to make a complex tree. In this video, we'll create directories and 
files and learn how to modify them. 

When it comes to working with data in security, organization is key. If we know where information is 
located, it makes it easier to detect issues and keep information safe. In a previous video, we've 
already discussed navigating between directories, but let's take a moment to examine directories 
more closely. It's possible you're familiar with the concept of folders for organizing information. In 
Linux, we have directories. Directories help organize files and subdirectories. For example, within a 
directory for reports, an analyst may need to create two subdirectories: one for drafts and one for 
final reports. 

Now that we know why we need directories, let's take a look at some essential Linux commands for 
managing directories and files. First, let's take note of commands for creating and removing 


directories. The mkdir command creates a new directory. In contrast, rmdir removes or deletes a 


directory. A helpful feature of this command is its built-in warning that lets you know a directory is not 
empty. This saves you from accidentally deleting files. Next, you'll use other commands for creating 
and removing files. The touch command creates a new file, and then the rm command removes or 
deletes a file. And last, we have our commands for copying and moving files or directories. The mv 
command moves a file or directory to new location, and cp copies a file or directory into a new 
location. 

Now, we're ready to try out these commands. First, let's use the pwd command, and then let's 
display the names of the files and directories in the analyst directory with the Is command. Imagine 
that we no longer need the oldreports directory that appears among the file contents. Let's take a 
look at how to remove it. We input the rmdir command and follow it with the name of the directory we 
want to remove: oldreports. We can use the Is command to confirm that oldreports has been deleted 
and no longer appears among the contents. 

Now, let's make another change. We want a new directory for drafts of reports. We need to use the 
command: mkdir and specify a name for this directory: drafts. If we input Is again, we'll notice the 
new directory drafts included among the contents of the analyst directory. Let's change into this new 
directory by entering: cd drafts. If we run Is, it doesn't return any output, indicating that this directory 
is currently empty. But next, we'll add some files to it. Let's say we want to draft new reports on 
recently installed email and OS patches. To create these files, we input: touch email_patches.txt and 
then: touch OS_ patches. txt. 

Running Is indicates that these files are now in the drafts directory. What if we realize that we only 
need a new report on OS patches and we want to delete the email patches report? To do this, we 
input the rm command and specify the file to delete as: email_patches.txt. Running Is confirms that 
it's been deleted. Now, let's focus on our commands for moving and copying. We realized that we 
have a file called email policy in the reports folder that is currently in draft format. We want to move it 
into the newly created drafts folder. To do this, we need to change into the directory that currently 
has that file. 

Running Is in that directory indicates that it contains several files, including email_policy.txt. Then to 
move that file, we'll enter the mv command followed by two arguments. The first argument after mv 


identifies the file to be moved. The second argument indicates where to move it. If we change 


directories into drafts and then display its contents, we'll notice that the email policy file has been 
moved to this directory. We'll change back into reports. Displaying the file contents confirms that 
email_ policy is no longer there. 

Okay, one more thing. vulnerabilities.txt is a file that we want to keep in the reports directory. But 
since it affects an upcoming project, we also want to copy it into the project's directory. Since we're 
already in the directory that has this file, we'll use the cp command to copy it into the projects 
directory. Notice that the first argument indicates which file to copy, and the second argument 
provides the path to the directory that it will be copied into. When we press Enter, this copies the 
vulnerabilities file into the projects directory while also leaving the original within reports. Isn't it cool 
what we can do with these commands? 

Now, let's focus on one more concept related to modifying files. In addition to using commands, you 
can also use applications to help you edit files. As a security analyst, file editors are often necessary 
for your daily tasks, like writing or editing reports. A popular file editor is nano. It's good for 
beginners. You can access this tool through the nano command. Let's get familiar with nano 
together. We'll add a title to our new draft report: OS_patches.txt. First, we change into the directory 
containing that file, then we input nano followed by the name of the file we want to edit: 
OS_patches.txt. This brings up the nano file editor with that file open. For now, we'll just enter the 
title OS Patches by typing this into the editor. We need to save this before returning to the command 
line, and to do so, we press Ctrl+O and then enter to save it with the current file name. Then to exit, 
we press Ctrl+X. 

Great work! We've covered a lot of topics here—from creating and removing directories and files to 
copying or moving them, and just now, we've added editing files. You're well on your way to learning 


Linux commands! 


Manage directories and files 


Previously, you explored how to manage the file system using Linux commands. The following 


commands were introduced: mkdir, rmdir, touch, rm, mv, and cp. In this reading, you'll review 


these commands, the nano text editor, and learn another way to write to files. 


Creating and modifying directories 


mkdir 


The mkdir command creates a new directory. Like all of the commands presented in this reading, 
you can either provide the new directory as the absolute file path, which starts from the root, oras a 
relative file path, which starts from your current directory. 

For example, if you want to create a new directory called network in your /home/analyst/logs 
directory, you can enter mkdir /home/analyst/logs/network to create this new directory. If 
you’re already in the /home/analyst/logs directory, you can also create this new directory by 
entering mkdir network. 


Pro Tip: You can use the 1s command to confirm the new directory was added. 


rmdir 


The rmdir command removes, or deletes, a directory. For example, entering rmdir 
/home/analyst/logs/network would remove this empty directory from the file system. 
Note: The rmdir command cannot delete directories with files or subdirectories inside. For 


example, entering rmdir /home/analyst returns an error message. 
Creating and modifying files 


touch and rm 


The touch command creates a new file. This file won’t have any content inside. If your current 
directory is /home/analyst/reports, entering touch permissions. txt creates a new file in 
the reports subdirectory called permissions. txt. 

The rm command removes, or deletes, a file. This command should be used carefully because it’s 
not easy to recover files deleted with rm. To remove the permissions file you just created, enter rm 


permissions. txt. 


Pro Tip: You can verify that permissions. txt was successfully created or removed by entering 


1s. 


mv and cp 


You can also use mv and cp when working with files. The mv command moves a file or directory to a 
new location, and the cp command copies a file or directory into a new location. The first argument 
after mv or cp is the file or directory you want to move or copy, and the second argument is the 
location you want to move or copy it to. 

To move permissions. txt into the logs subdirectory, enter mv permissions.txt 
/home/analyst/logs. Moving a file removes the file from its original location. However, copying a 
file doesn’t remove it from its original location. To copy permissions. txt into the logs 
subdirectory while also keeping it in its original location, enter cp permissions.txt 
/home/analyst/logs. 

Note: The mv command can also be used to rename files. To rename a file, pass the new name in 
as the second argument instead of the new location. For example, entering mv permissions.txt 


perm. txt renames the permissions. txt file to perm. txt. 


nano text editor 


nano is a command-line file editor that is available by default in many Linux distributions. Many 
beginners find it easy to use, and it’s widely used in the security profession. You can perform 
multiple basic tasks in nano, such as creating new files and modifying file contents. 

To open an existing file in nano from the directory that contains it, enter nano followed by the file 
name. For example, entering nano permissions.txt from the /home/analyst/reports 
directory opens a new nano editing window with the permissions. txt file open for editing. You 


can also provide the absolute file path to the file if you’re not in the directory that contains it. 


You can also create a new file in nano by entering nano followed by a new file name. For example, 
entering nano authorized_users.txt from the /home/analyst/reports directory creates 
the authorized _users.txt file within that directory and opens it in a new nano editing window. 
Since there isn't an auto-saving feature in nano, it’s important to save your work before exiting. To 
save a file in nano, use the keyboard shortcut Ctrl + O. You'll be prompted to confirm the file 
name before saving. To exit out of nano, use the keyboard shortcut Ctrl + X. 


Note: Vim and Emacs are also popular command-line text editors. 


Standard output redirection 


There’s an additional way you can write to files. Previously, you learned about standard input and 
standard output. Standard input is information received by the OS via the command line, and 
standard output is information returned by the OS through the shell. 

You’ve also learned about piping. Piping sends the standard output of one command as standard 


input to another command for further processing. It uses the pipe character (|). 

In addition to the pipe (|), you can also use the right angle bracket (>) and double right angle 
bracket (>>) operators to redirect standard output. 

When used with echo, the > and >> operators can be used to send the output of echo to a specified 
file rather than the screen. The difference between the two is that > overwrites your existing file, and 
>> adds your content to the end of the existing file instead of overwriting it. The > operator should be 


used carefully, because it’s not easy to recover overwritten files. 


When you’re inside the directory containing the permissions. txt file, entering echo "last 
updated date" >> permissions.txt adds the string “last updated date” to the file contents. 
Entering echo "time" > permissions.txt after this command overwrites the entire file 
contents of permissions. txt with the string “time”. 

Note: Both the > and >> operators will create a new file if one doesn’t already exist with your 


specified name. 


Key takeaways 


Knowing how to manage the file system in Linux is an important skill for security analysts. Useful 
commands for this include: mkdir, rmdir, touch, rm, mv, and cp. When security analysts need to 


write to files, they can use the nano text editor, or the > and >> operators. 


Congratulations! You passed! 


Grade received 100% 


To pass 75% or higher 


Question 1 


What two arguments commonly follow the grep command? 


1/1 point 


The file to move and the new file location 
The string to search for and the file to search through 
The file name to search for and the directory to search through 


The file to write to and the string to add to it 


Correct 


The grep command is commonly followed by the string to search for and the file to search through. It is 


used to search files for specified strings. 


Question 2 


In Linux, what does the piping command (|) do? 


1/1 point 


It searches a specified file and returns all lines in the file containing a specified string. 


It moves a file or directory to a new location. 


It sends the standard output of one command as standard input to another command for further 
processing. 


It sends the standard input of one command as standard output to another command for further 
processing. 


Correct 


The piping command (|) sends the standard output of one command as standard input to another 


command for further processing. 


Question 3 


A security professional enters cp vulnerabilities.txt /home/analyst/projects into the 


command line. What do they want the operating system to do? 


1/1 point 


Create a new file named vulnerabilities. txt in the projects directory 


Search for the string vulnerabilities. txt in the projects directory 


Remove the vulnerabilities. txt file from the projects directory 


Copy the vulnerabilities. txt file into the projects directory 


Correct 


They want the operating system to copy the vulnerabilities. txt file into the projects directory. 


The original version of the file or directory will also remain in its original location. 


Question 4 


What command creates a new file called failed_logins.txt? 


1/1 point 


rm failed _logins.txt 


find failed_logins.txt 


touch failed logins.txt 


mkdir failed_logins.txt 


Correct 


The command touch failed _logins.txt creates a new file called failed_logins.txt. The touch 


command is used to create a new file. 


File permissions and ownership 


Hi there. It's great to have you back! Let's continue to learn more about how to work in Linux as a 
security analyst. In this video, we'll explore file and directory permissions. We'll learn how Linux 
represents permissions and how you can check for the permissions associated with files and 
directories. 

Permissions are the type of access granted for a file or directory. Permissions are related to 
authorization. Authorization is the concept of granting access to specific resources in a system. 
Authorization allows you to limit access to specified files or directories. A good rule to follow is that 
data access is on a need-to-know basis. You can imagine the security risk it would impose if anyone 
could access or modify anything they wanted to on a system. 

There are three types of permissions in Linux that an authorized user can have. The first type of 
permission is read. On a file, read permissions means contents on the file can be read. Ona 
directory, this permission means you can read all files in that directory. Next are write permissions. 
Write permissions on a file allow modifications of contents of the file. On a directory, write 
permissions indicate that new files can be created in that directory. Finally, there are also execute 
permissions. Execute permissions on files mean that the file can be executed if it's an executable 
file. Execute permissions on directories allow users to enter into a directory and access its files. 
Permissions are granted for three different types of owners. The first type is the user. The user is the 
owner of the file. When you create a file, you become the owner of the file, but the ownership can be 
changed. Group is the next type. Every user is a part of a certain group. A group consists of several 


users, and this is one way to manage a multi-user environment. Finally, there is other. Other can be 


considered all other users on the system. Basically, anyone else with access to the system belongs 
to this group. In Linux, file permissions are represented with a 10-character string. For a directory 
with full permissions for the user group, this string would be: drwxrwxrwx. 

Let's examine what this means more closely. The first character indicates the file type. As shown in 
this example, d is used to indicate it is a directory. If this character contains a hyphen instead, it 
would be a regular file. The second, third, and fourth characters indicate the permissions for the 
user. In this example, r indicates the user has read permissions, w indicates the user has write 
permissions, and x indicates the user has execute permissions. If one of these permissions was 
missing, there would be a hyphen instead of the letter. In the same way, the fifth, sixth, and seventh 
characters indicate permissions for the next owner type group. As it shows here, the type group also 
has read, write, and execute permissions. There are no hyphens to indicate that any of these 
permissions haven't been granted. Finally, the eighth through tenth characters indicate permissions 
for the last owner type: other. They also have read, write, and execute permissions in this example. 
Ensuring files and directories are set with their appropriate access permissions is critical to 
protecting sensitive files and maintaining the overall security of a system. For example, payroll 
departments handle sensitive information. If someone outside of the payroll group could read this 
file, this would be a privacy concern. Another example is when the user, the group, and other can all 
write to a file. This type of file is considered a world-writable file. World-writable files can pose 
significant security risks. 

So how do we check permissions? First, we need to understand what options are. Options modify 
the behavior of the command. The options for a command can be a single letter or a full word. 
Checking permissions involves adding options to the Is command. First, Is -I displays permissions to 
files and directories. You might also want to display hidden files and identify their permissions. 
Hidden files, which begin with a period before their name, don't normally appear when you use Is to 
display file contents. Entering Is -a displays hidden files. Then you can combine these two options to 
do both. Entering Is -la displays permissions to files and directories, including hidden files. 

Let's get into Bash and try out these options. Right now, we're in the project subdirectory. First, let's 
use the Is command to display its contents. The output displays the files in this directory, but we 


don't know anything about their permissions. By using Is -I instead, we get expanded information on 


these files. Let's do this. The file names are now on the right side of each row. The first piece of 
information in each row shows the permissions in the format that we discussed earlier. Since these 
are all files and not directories, notice how the first character is a hyphen. Let's focus on one specific 
file: project1.txt. The second through fourth characters of its permissions show us the user has both 
read and write permissions but lacks execute permissions. In both the fifth through seventh 
characters and eighth through tenth characters, the sequence is r--. This means group and other 
have only read privileges. After the permissions, Is -l| first displays the username. Here, that's us, 
analyst. Next comes the group name; in our case, the security group. Now let's use Is -a The output 
includes two more files—hidden files with the names: .hidden1.txt and .hidden2.txt Finally, we can 
also use Is -la to show the permissions for all files, including these hidden files. 

| thought that was pretty interesting. Did you? You now know a little more about file permissions and 
ownership. This will be helpful when working in security because monitoring and setting correct 
permissions is essential for protecting information. Take a small break and meet me in the next 


video. 


Change permissions 


Hi there! In the previous video, you learned how to check permissions for a user. In this video, we're 
going to learn about changing permissions. 

When working as a security analyst, there may be many reasons to change permissions for a user. 
A user may have changed departments or been assigned to a different work group. A user might 
simply no longer be working on a project that requires certain permissions. These changes are 
necessary in order to protect system files from being accidentally or deliberately altered or deleted. 
Let's explore a related command that helps control this access. In this video, we'll learn about 
chmod. chmod changes permissions on files and directories. The command chmod stands for 
change mode. 

There are two modes for changing permissions, but we'll focus on symbolic. The best way to learn 


about how chmod works is through an example. | know this has a lot of details, but we'll break this 


down. Also, please keep in mind that, like many Linux commands, you don't have to memorize the 
information and can always find a reference. 

With chmod, you need to identify which file or directory you want to adjust permissions for. This is 
the final argument, in this case, a file named: access.txt. The first argument, added directly after the 
chmod command, indicates how to change permissions. Right now, this might seem hard to 
interpret, but soon we'll understand why this is called symbolic mode. 

Previously, we learned about the three types of owners: user, group, and other. To identify these with 
chmod, we use u to represent the user, g to represent the group, and o to represent other. In this 
particular example, g indicates we will make some changes to group permissions, and o to 
permissions for other. These owner types are separated by a comma in this argument. 

But do we want to add or take away permissions? Well, for this, we use mathematical operators. So, 
the plus sign after g means we want to add permissions for group. The minus sign after o means we 
want to take them away from other. And the last question is: what kind of changes? We've already 
learned that r represents read permissions, w represents write permissions, and x represents 
execute permissions. So in this case, the w indicates that we're adding write permissions to the 
group, and r indicates that we are taking away read permissions from other. This is still very 
complex. But now that we've broken it down, perhaps it doesn't seem quite so much like a foreign 
language. And remember, you don't have to memorize this all. 

Let's give this new command a try. We'll start out in the logs sub-directory. If we use the Is -l 
command, it will output the permissions for the file. It shows the permissions for the only file in this 
directory: access.txt. Previously, we learned how to read these permissions. The second through 
fourth characters indicate that the user has read and write permissions. The fifth through seventh 
characters show the group only has read permissions. And the eighth to tenth characters show that 
other only has read permissions. We need to adjust these permissions. 

We want to ensure analysts in the security group have write permission, but takeaway read 
permissions from the owner-type other, so we add write permissions for group and remove read 
permissions for other. Let's run Is -l| again. This shows a change in the permissions for access.txt. 
Notice how in the middle segment of permissions for the group, w has been added to give write 


permissions. And another change is that the r has been removed in the last segment, indicating that 


read permissions for other have been removed. As mentioned earlier, these hyphens indicate a lack 
of permissions. Now, other is lacking all permissions. 
Though it requires practice, working in Linux becomes more natural with time. I'm glad you're 


learning a little more about how to use Linux. 


Permission commands 


Previously, you explored file permissions and the commands that you can use to display and change 
them. In this reading, you'll review these concepts and also focus on an example of how these 


commands work together when putting the principle of least privilege into practice. 


Reading permissions 


In Linux, permissions are represented with a 10-character string. Permissions include: 
e read: for files, this is the ability to read the file contents; for directories, this is the ability to 
read all contents in the directory including both files and subdirectories 
e write: for files, this is the ability to make modifications on the file contents; for directories, this 
is the ability to create new files in the directory 
e execute: for files, this is the ability to execute the file if it’s a program; for directories, this is 


the ability to enter the directory and access its files 


These permissions are given to these types of owners: 
e user: the owner of the file 
e group: a larger group that the owner is a part of 


e other: all other users on the system 


Each character in the 10-character string conveys different information about these permissions. The 


following table describes the purpose of each character: 


Character Example Meaning 


1st 


2nd 


3rd 


4th 


Sth 


6th 


7th 


drwxrwxrwx 


drwxrwxrwx 


drwxrwxrwx 


drwxrwxrwx 


drwxrwxrwx 


drwxrwxrwx 


drwxrwxrwx 


file type 
e d for directory 


e -for a regular file 


read permissions for the user 


e rif the user has read permissions 


e -ifthe user lacks read permissions 


write permissions for the user 


e wif the user has write permissions 


e -ifthe user lacks write permissions 


execute permissions for the user 


e x ifthe user has execute permissions 


e -ifthe user lacks execute permissions 


read permissions for the group 


e rif the group has read permissions 


e -ifthe group lacks read permissions 


write permissions for the group 


e wif the group has write permissions 


e -ifthe group lacks write permissions 


execute permissions for the group 


e x ifthe group has execute permissions 


e -ifthe group lacks execute permissions 


8th drwxrwxrwXx read permissions for other 


e r ifthe other owner type has read permissions 


e -ifthe other owner type lacks read permissions 


9th drwxrwxrwx write permissions for other 


e wif the other owner type has write permissions 


e -ifthe other owner type lacks write permissions 


10th drwxrwxrwx execute permissions for other 


e x if the other owner type has execute permissions 


e -ifthe other owner type lacks execute permissions 


Exploring existing permissions 


You can use the 1s command to investigate who has permissions on files and directories. 
Previously, you learned that 1s displays the names of files in directories in the current working 


directory. 


There are additional options you can add to the 1s command to make your command more specific. 
Some of these options provide details about permissions. Here are a few important 1s options for 


security analysts: 


e 1s -a: Displays hidden files. Hidden files start with a period (.) at the beginning. 
e 1s -1: Displays permissions to files and directories. Also displays other additional 


information, including owner name, group, file size, and the time of last modification. 


e 1s -1a: Displays permissions to files and directories, including hidden files. This is a 


combination of the other two options. 


Changing permissions 


The principle of least privilege is the concept of granting only the minimal access and 
authorization required to complete a task or function. In other words, users should not have 
privileges that are beyond what is necessary. Not following the principle of least privilege can create 
security risks. 

The chmod command can help you manage this authorization. The chmod command changes 


permissions on files and directories. 


Using chmod 


The chmod command requires two arguments. The first argument indicates how to change 
permissions, and the second argument indicates the file or directory that you want to change 
permissions for. For example, the following command would add all permissions to 
login_sessions. txt: 

chmod utrwx,g+rwx,otrwx login_sessions.txt 

If you wanted to take all the permissions away, you could use 

chmod u-rwx,g-rwx,o-rwx login_sessions.txt 

Another way to assign these permissions is to use the equals sign (=) in this first argument. Using = 
with chmod sets, or assigns, the permissions exactly as specified. For example, the following 
command would set read permissions for login_sessions. txt for user, group, and other: 
chmod u=r,g=r,o=r login _sessions.txt 

This command overwrites existing permissions. For instance, if the user previously had write 
permissions, these write permissions are removed after you specify only read permissions with =. 


The following table reviews how each character is used within the first argument of chmod: 


Character Description 
u indicates changes will be made to user permissions 
g indicates changes will be made to group permissions 


o indicates changes will be made to other permissions 


+ adds permissions to the user, group, or other 
z removes permissions from the user, group, or other 


= assigns permissions for the user, group, or other 


Note: When there are permission changes to more than one owner type, commas are needed to 


separate changes for each owner type. You should not add spaces after those commas. 


The principle of least privilege in action 


As a security analyst, you may encounter a situation like this one: There’s a file called 


bonuses. txt within a compensation directory. The owner of this file is a member of the Human 
Resources department with a username of hrrep1. It has been decided that hrrep1 needs access 
to this file. But, since this file contains confidential information, no one else in the hr group needs 


access. 


You run 1s -1 to check the permissions of files in the compensation directory and discover that the 
permissions for bonuses. txt are -rw-rw----. The group owner type has read and write 


permissions that do not align with the principle of least privilege. 


To remedy the situation, you input chmod g-rw bonuses. txt. Now, only the user who needs to 


access this file to carry out their job responsibilities can access this file. 


Key takeaways 


Managing directory and file permissions may be a part of your work as a security analyst. Using 1s 
with the -1 and -1a options allows you to investigate directory and file permissions. Using chmod 
allows you to change user permissions and ensure they are aligned with the principle of least 


privilege. 


Add and delete users 


Welcome back! In this video, we are going to discuss adding and deleting users. This is related to 
the concept of authentication. Authentication is the process of a user proving that they are who they 
say they are in the system. 

Just like in a physical building, not all users should be allowed in. Not all users should get access to 
the system. But we also want to make sure everyone who should have access to the system has it. 
That's why we need to add users. New users can be new to the organization or new to a group. This 
could be related to a change in organizational structure or simply a directive from management to 
move someone. 

And also, when users leave the organization, they need to be deleted. They should no longer have 
access to any part of the system. Or if they simply changed groups, they should be deleted from 
groups that they are no longer a part of. 

Now that we've sorted out why it's important to add and delete users, let's discuss a different type of 
user, the root user. A root user, or superuser, is a user with elevated privileges to modify the system. 
Regular users have limitations, where the root does not. 

Individuals who need to perform specific tasks can be temporarily added as root users. Root users 
can create, modify, or delete any file and run any program. Only root users or accounts with root 
privileges can add new users. So you may be wondering how you become a superuser. Well, one 
way is logging in as the root user, but running commands as the root user is considered to be bad 
practice when using Linux. 

Why is running commands as a root user potentially problematic? The first problem with logging in 
as root is the security risks. Malicious actors will try to breach the root account. Since it's the most 
powerful account, to stay safe, the root account should have logins disabled. Another problem is that 
it's very easy to make irreversible mistakes. 

It's very easy to type the wrong command in the CLI, and if you're running as the root user, you run a 
higher risk of making an irreversible mistake, such as permanently deleting a directory. Finally, 
there's the concern of accountability. In a multi-user environment like Linux, there are many users. If 
a user is running as root, there is no way to track who exactly ran a command. One solution to help 


solve this problem is sudo. 


sudo is a command that temporarily grants elevated permissions to specific users. This provides 
more of a controlled approach compared to root, which runs every command with root privileges. 
sudo solves lots of problems associated with running as root. 

sudo comes from super-user-do and lets you execute commands as an elevated user without having 
to sign in and out of another account. Running sudo will prompt you to enter the password for the 
user you're currently logged in as. Not all users on a system can become a superuser. Users must 
be granted sudo access through a configuration file called the sudoers file. 

Now that we've learned about sudo, let's learn how we can use it with another command to add 
users. This command is useradd. useradd adds a user to the system. Only root or users with sudo 
privileges can use a useradd command. Let's look at a specific example in which we need to add a 
user. We'll imagine a new representative is joining the sales department and will be given the 
username of salesrep7. We're tasked with adding them to the system. 

Let's try adding the new user. First, we need to use the sudo command, followed by the useradd 
command, and then last, the username we want to add, in this case, salesrep7. This command 
doesn't display anything on the screen. But since we get a new Bash cursor and not an error 
message, we can feel confident that the command worked successfully. If it didn't, an error message 
would have appeared. Sometimes an error has to do with something simple like misspelling 
useradd. Or, it might be because we didn't have sudo privileges. 

Now let's learn how to do the opposite. Let's learn how to delete a user with userdel. userdel deletes 
a user from the system. Similarly, we need root permissions that we'll access through sudo to use 
userdel. Let's go back to our example of the user we added. Let's imagine two months later, the 
sales representative that we just added to the system leaves the company. That user should no 
longer have access to the system. Let's delete that user from the system. 

Again, the sudo command is used first, then we add the userdel command. Last, we add the name 
of the user we want to delete. Again, we know it ran successfully because there is a new Bash 
cursor and not an error message. 

Now, we've covered how to add and delete users and how these actions require sudo. When using 


sudo, we have to use our best judgment. These special privileges must be used responsibly to 


ensure a secure system. 


Responsible use of sudo 


Previously, you explored authorization, authentication, and Linux commands with sudo, useradd, 
and userdel. The sudo command is important for security analysts because it allows users to have 
elevated permissions without risking the system by running commands as the root user. You'll 
continue exploring authorization, authentication, and Linux commands in this reading and learn two 


more commands that can be used with sudo: usermod and chown. 


Responsible use of sudo 


To manage authorization and authentication, you need to be a root user, or a user with elevated 
privileges to modify the system. The root user can also be called the “super user.” You become a 
root user by logging in as the root user. However, running commands as the root user is not 
recommended in Linux because it can create security risks if malicious actors compromise that 
account. It’s also easy to make irreversible mistakes, and the system can’t track who ran a 
command. For these reasons, rather than logging in as the root user, its recommended you use 
sudo in Linux when you need elevated privileges. 

The sudo command temporarily grants elevated permissions to specific users. The name of this 
command comes from “super user do.” Users must be given access in a configuration file to use 
sudo. This file is called the “sudoers file.” Although using sudo is preferable to logging in as the root 
user, it's important to be aware that users with the elevated permissions to use sudo might be more 
at risk in the event of an attack. 

You can compare this to a hotel with a master key. The master key can be used to access any room 
in the hotel. There are some workers at the hotel who need this key to perform their work. For 
example, to clean all the rooms, the janitor would scan their ID badge and then use this master key. 
However, if someone outside the hotel’s network gained access to the janitor’s ID badge and master 


key, they could access any room in the hotel. In this example, the janitor with the master key 


represents a user using sudo for elevated privileges. Because of the dangers of sudo, only users 
who really need to use it should have these permissions. 

Additionally, even if you need access to sudo, you should be careful about using it with only the 
commands you need and nothing more. Running commands with sudo allows users to bypass the 


typical security controls that are in place to prevent elevated access to an attacker. 


Note: Be aware of sudo if copying commands from an online source. It’s important you don’t use 


sudo accidentally. 


Authentication and authorization with sudo 


You can use sudo with many authentication and authorization management tasks. As a reminder, 


authentication is the process of verifying who someone is, and authorization is the concept of 
granting access to specific resources in a system. Some of the key commands used for these tasks 


include the following: 


useradd 


The useradd command adds a user to the system. To add a user with the username of fgarcia 
with sudo, enter sudo useradd fgarcia. There are additional options you can use with 
useradd: 

e -g: Sets the user’s default group, also called their primary group 


e -G: Adds the user to additional groups, also called supplemental or secondary groups 


To use the -g option, the primary group must be specified after -g. For example, entering sudo 
useradd -g security fgarcia adds fgarcia as a new user and assigns their primary group 
to be security. 

To use the -G option, the supplemental group must be passed into the command after -G. You can 
add more than one supplemental group at a time with the -G option. Entering sudo useradd -G 
finance,admin fgarcia adds fgarcia as a new user and adds them to the existing finance 


and admin groups. 


usermod 


The usermod command modifies existing user accounts. The same -g and -G options from the 
useradd command can be used with usermod if a user already exists. 
To change the primary group of an existing user, you need the -g option. For example, entering 
sudo usermod -g executive fgarcia would change fgarcia’s primary group to the 
executive group. 
To add a supplemental group for an existing user, you need the -G option. You also need a -a 
option, which appends the user to an existing group and is only used with the -G option. For 
example, entering sudo usermod -a -G marketing fgarcia would add the existing fgarcia 
user to the supplemental marketing group. 
Note: When changing the supplemental group of an existing user, if you don't include the -a option, 
-G will replace any existing supplemental groups with the groups specified after usermod. Using -a 
with -G ensures that the new groups are added but existing groups are not replaced. 
There are other options you can use with usermod to specify how you want to modify the user, 
including: 

e -d: Changes the user’s home directory. 

e -1: Changes the user’s login name. 


e -L: Locks the account so the user can’t log in. 


The option always goes after the usermod command. For example, to change fgarcia’s home 
directory to /home/garcia_f, enter sudo usermod -d /home/garcia_f fgarcia. The 


option -d directly follows the command usermod before the other two needed arguments. 


userdel 


The userdel command deletes a user from the system. For example, entering sudo userdel 


fgarcia deletes fgarcia as a user. Be careful before you delete a user using this command. 


The userdel command doesn’t delete the files in the user’s home directory unless you use the -r 
option. Entering sudo userdel -r fgarcia would delete fgarcia as a user and delete all files 
in their home directory. Before deleting any user files, you should ensure you have backups in case 
you need them later. 

Note: Instead of deleting the user, you could consider deactivating their account with usermod -L. 
This prevents the user from logging in while still giving you access to their account and associated 
permissions. For example, if a user left an organization, this option would allow you to identify which 


files they have ownership over, so you could move this ownership to other users. 


chown 


The chown command changes ownership of a file or directory. You can use chown to change user 
or group ownership. To change the user owner of the access. txt file to fgarcia, enter sudo 
chown fgarcia access.txt. To change the group owner of access. txt to security, enter 
sudo chown :security access.txt. You must enter a colon (:) before security to 


designate it as a group name. 


Similar to useradd, usermod, and userdel, there are additional options that can be used with 


chown. 


Key takeaways 


Authentication is the process of a user verifying their identity, and authorization is the process of 
determining what they have access to. You can use the sudo command to temporarily run 
commands with elevated privileges to complete authentication and authorization management tasks. 
Specifically, useradd, userdel, usermod, and chown can be used to manage users and file 


ownership. 


Congratulations! You passed! 


Grade received 100% 


To pass 75% or higher 


Question 1 


What is authorization? 


1/1 point 


The process of a user proving that they are who they say they are in the system 


The concept of granting access to specific resources in a system 


The process of temporarily granting elevated permissions to specific users 


The concept of granting only the minimal access and authorization required to complete a task or function 


Correct 


Authorization is the concept of granting access to specific resources in a system. 


Question 2 


Which of the following statements correctly describe the file permissions string -rw-rw-rw-? Select two 


answers. 


1/1 point 


The group has read permissions. 


Correct 


The 3rd character of the file permissions string -rw-rw-rw- indicates that the user has write permissions, 
and the 5th character of the file permissions string -rw-rw-xrw- indicates that the group has read 


permissions. 


The user has write permissions. 


Correct 


The 3rd character of the file permissions string -rw-rw-xrw- indicates that the user has write permissions, 
and the 5th character of the file permissions string -rw-rw-xrw- indicates that the group has read 


permissions. 


The user and group have execute permissions. 


The file type is a directory. 


Question 3 


A security professional enters chmod g+w access.txt into the command line. What does this command 


tell the operating system to do? 


1/1 point 


Remove write permissions from the group for the access. txt file 


Remove write permissions from the user for the access. txt file 


Add write permissions to the group for the access. txt file 


Add write permissions to the user for the access. txt file 


Correct 


The command chmod g+w access. txt tells the operating system to add write permissions to the group. 


Question 4 


Which of the following commands typically must be used with sudo? Select three answers. 


1/1 point 


userdel 


Correct 


The useradd, userdel, and chown commands must typically be used with sudo. The useradd 
command adds a user to the system, userdel deletes a user from the system, and chown changes 


ownership of a file. 


chmod 


useradd 


Correct 


The useradd, userdel, and chown commands must typically be used with sudo. The useradd 
command adds a user to the system, userdel deletes a user from the system, and chown changes 


ownership of a file. 


chown 


Correct 


The useradd, userdel, and chown commands must typically be used with sudo. The useradd 
command adds a user to the system, userdel deletes a user from the system, and chown changes 


ownership of a file. 


Question 5 


A security analyst is updating permissions on a directory named projects. The current permissions are 
drwxrw-xr--. They want to add execute permissions for the group. What do they enter on the command 


line? 


1/1 point 


chmod u-x projects 


chmod g+x projects 


chmod x+x projects 


chmod g-x projects 


Correct 


They enter chmod g+x projects. This command adds execute permissions for the group. 


The Linux community 


There are so many others just like you who will be using the command line. Linux's popularity and 
ease of use has created a large online community that constantly publishes information to help users 
learn how to operate Linux. Since Linux is open-source, it has become a global community of users 
that contribute frequently. 

This global community is a huge resource for all Linux users because users can find answers for 
everyday tasks. Just searching on the internet will provide many answers. The easiest way to 
troubleshoot a task is to search and read about how someone else has done it. Looking for 
resources on how to execute a task is a good way for beginners to continue learning. 

So far, you've learned how to add users, but imagine if later you want to add a new group. One way 
to learn how to do this is to search online. Let's give this a try through a Google search. The search 
results give us many options for adding a group in Linux. 

Another reputable source is a Unix & Linux Stack Exchange. Their answers are ranked with points to 
display high-quality answers. Many questions relate to more advanced users and are geared 
towards troubleshooting. 

Well, now you know where to get some extra support whenever in doubt about topics in Linux. There 
is a lot of support just a click away. Coming up, we'll learn how to get support from within the 


command line itself. Join me. 


Man pages within the shell 


Welcome back! In this video, we're going to discuss some resources that are available directly 


through the shell and can help you while working in Linux. One of the great things about Linux is that 


you can get help right through the command line. The first command that can help you in this way is: 
man. 

man displays information on other commands and how they work. The name of this command 
comes from the word manual. Let's examine this more closely by using man to get information about 
the usermod command. After man, we type the name of this command. The information that man 
returns includes a general description. It also contains information about each of usermod's options. 
For example, the option -d can be added to usermod to change a user's home directory. man 
provides a lot of information, but sometimes we just need a quick reference on what a command 
does. In that case, you use whatis. whatis displays a description of a command on a single line. 
Let's say you heard a co-worker mention a command like tail. You've never heard of this command 
before, but you can find out what it does. Simply use the command, whatis tail, and learn that it 
outputs the last part of files. 

Sometimes we might not even know what command to look up. This is where apropos can help us. 
apropos searches the manual page descriptions for a specified string. Let's try it out. Let's say you 
have a task that requires you to change a password, but you're not quite sure how to do this. If we 
use the apropos command with the string password, this will display a large number of commands 
with that word. This helps somewhat, but it still may be difficult to find what we need. But we can 
filter this by adding the -a option and an additional string. This option will return only the commands 
that contain both strings. In our case, since we want to change the password, let's look for 
commands with both: change and password. Now, the output has been limited to the most relevant 
commands. 

These commands make it a lot easier to navigate the Linux command line. As a new analyst, you 


won't have all the answers all the time, but you can learn where to find them. 


Linux resources 


Previously, you were introduced to the Linux community and some resources that exist to help Linux 
users. Linux has many options available to give users the information they need. This reading will 


review these resources. When you’re aware of the resources available to you, you can continue to 


learn Linux independently. You can also discover even more ways that Linux can support your work 


as a security analyst. 


Linux community 


Linux has a large online community, and this is a huge resource for Linux users of all levels. You can 
likely find the answers to your questions with a simple online search. Troubleshooting issues by 
searching and reading online is an effective way to discover how others approached your issue. It’s 
also a great way for beginners to learn more about Linux. 

The UNIX and Linux Stack Exchange is a trusted resource for troubleshooting Linux issues. The 
Unix and Linux Stack Exchange is a question and answer website where community members can 
ask and answer questions about Linux. Community members vote on answers, so the higher quality 
answers are displayed at the top. Many of the questions are related to specific topics from advanced 


users, and the topics might help you troubleshoot issues as you continue using Linux. 


Integrated Linux support 


Linux also has several commands that you can use for support. 


man 


The man command displays information on other commands and how they work. It’s short for 
“manual.” To search for information on a command, enter the command after man. For example, 
entering man chown returns detailed information about chown, including the various options you 


can use with it. The output of the man command is also called a “man page.” 


apropos 


The apropos command searches the man page descriptions for a specified string. Man pages can 
be lengthy and difficult to search through if you’re looking for a specific keyword. To use apropos, 


enter the keyword after apropos. 


You can also include the -a option to search for multiple words. For example, entering apropos -a 
graph editor outputs man pages that contain both the words “graph" and "editor’” in their 


descriptions. 


whatis 


The whatis command displays a description of a command on a single line. For example, entering 
whatis nano outputs the description of nano. This command is useful when you don't need a 


detailed description, just a general idea of the command. This might be as a reminder. Or, it might be 


after you discover a new command through a colleague or online resource and want to know more. 


Key takeaways 


There are many resources available for troubleshooting issues or getting support for Linux. Linux 
has a large global community of users who ask and answer questions on online resources, such as 
the Unix and Linux Stack Exchange. You can also use integrated support commands in Linux, such 


aS man, apropos, and whatis. 


Resources for more information 


There are many resources available online that can help you learn new Linux concepts, review 
topics, or ask and answer questions with the global Linux community. The Unix and Linux Stack 


Exchange is one example, and you can search online to find others. 


Congratulations! You passed! 


Grade received 75% 


To pass 75% or higher 


Question 1 


Which of the following statements accurately describe Linux’s online global community? Select three 


answers. 


1/1 point 


The community publishes online information to help users learn how to operate Linux. 


Correct 


Linux’s online global community enables users to find support for everyday tasks. Information is published 
online to help users learn how to operate Linux. In addition, because Linux is open-source, members of 


the community can easily contribute. 


The community is focused on collecting feedback from advanced users of Linux. 


Linux users can find support from the community for everyday tasks. 


Correct 


Linux’s online global community enables users to find support for everyday tasks. Information is published 
online to help users learn how to operate Linux. In addition, because Linux is open-source, members of 


the community can easily contribute. 


Because Linux is open-source, the community can easily contribute. 


Correct 


Linux’s online global community enables users to find support for everyday tasks. Information is published 
online to help users learn how to operate Linux. In addition, because Linux is open-source, members of 


the community can easily contribute. 


Question 2 


What does the man command do? 


1/1 point 


Temporarily grants elevated permissions to specific users 


Display a description of a command on a single line 


Delete a user from the system 


Display information on other commands and how they work 


Correct 


The man command displays information on other commands and how they work. For more information 


about a specific command, enter this other command after man. 


Question 3 


What does the whatis command do? 


1/1 point 


Temporarily grants elevated permissions to specific users 


Display information on other commands and how they work 


Return the username of the current user 


Display a description of a command on a single line 


Correct 


The whatis command displays a description of a command on a single line. It is useful if you do not need 


the additional details found in the entire man page. 


Question 4 


What is an advantage of the apropos command? 


0/1 point 


It condenses the description of a specific command to one line. 


Users can search for a command even if they do not know the specific command name. 
It can be used to search for descriptions of commands when you know the specific command name. 


It incorporates mandatory options for customized searching 


correct 


The whatis or man commands are more useful than apropos if you know the specific command name. 


Wrap-up 


Congratulations! You completed another section in this course. Take a minute to think about what 
you've achieved. You learned a lot in this section. Let's recap what we covered. 

In this section, you utilized the command line to communicate with the OS. Part of this was using 
commands for navigating and managing the file system. And you used other commands for 
authenticating and authorizing users. These are all tasks that a security analyst is likely to encounter. 
Finally, you learned about accessing resources that support learning new Linux commands. With this 
knowledge, you'll be able to continue learning more and more about using the command line. 

We did it! we learned how to communicate with Linux. That's a great accomplishment, and one that 
will be very useful to you in your career as a security analyst. You should be proud of the work that 


you've done so far. 


Reference guide: Linux 


The Linux reference guide contains key Linux commands security professionals use to perform basic 


job duties. The reference guide is divided into six different categories of useful Linux commands for 


security-related tasks: 


Navigate the file system 

Read files 

Manage the file system 

Filter content 

Manage users and their permissions 


Get help in Linux 


Within each category, commands are organized alphabetically. 


Access and save the guide 


You can save a copy of this guide for future reference. You can use it as a resource for additional 


practice or in your future professional projects. 


To access a downloadable version of this course item, click the following link and select Use 


Template. 


Reference quide: Linux 


OR 


If you don’t have a Google account, you can download the item directly from the following 


attachment. 


Reference Guide Linux.pdf 


PDF File 


Glossary terms from module 3 


Terms and definitions from Course 4, Module 3 


Absolute file path: The full file path, which starts from the root 

Argument (Linux): Specific information needed by a command 

Authentication: The process of verifying who someone is 

Authorization: The concept of granting access to specific resources in a system 

Bash: The default shell in most Linux distributions 

Command: An instruction telling the computer to do something 

File path: The location of a file or directory 

Filesystem Hierarchy Standard (FHS): The component of the Linux OS that organizes data 
Filtering: Selecting data that match a certain condition 

nano: A command-line file editor that is available by default in many Linux distributions 
Options: Input that modifies the behavior of a command 

Permissions: The type of access granted for a file or directory 

Principle of least privilege: The concept of granting only the minimal access and authorization 
required to complete a task or function 

Relative file path: A file path that starts from the user's current directory 

Root directory: The highest-level directory in Linux 

Root user (or superuser): A user with elevated privileges to modify the system 

Standard input: Information received by the OS via the command line 


Standard output: Information returned by the OS through the shell 


Welcome to module 4 


In the world of security, diversity is important. Diverse perspectives are often needed to find effective 


solutions. This is also true of the tools we use. Your job will often require you to use a lot of diverse 


tools. In the last section, we studied the Linux command line and learned how this tool can help you 
search and filter through data, navigate through the Linux file system, and authenticate users. Now, 
we'll learn about another tool. 

In this section, we'll explore SQL and how it allows you to analyze data in a way needed for your role 
as a security analyst. We're going to start off by learning about relational databases and how they're 
structured. From there, we're going to introduce SQL queries and how to use them to access data 
from databases. We then move on to SQL filters, which help us refine our queries to get the exact 
information we need. Lastly, we'll explore SQL joins, which allow you to combine tables together. 
When I'm presented with a problem or a project at work, | often have to sift through a large amount 
of data. When | use SQL, I'm able to review data quickly and provide results with confidence since 
the queries are consistent and easily executed. 

SQL is a very powerful and flexible tool. Throughout this section, you'll learn how to use the parts of 
it you need as a security analyst and gain hands-on experience. Good luck, and I'll join you for the 


rest of the course! 


Introduction to databases 


Our modern world is filled with data and that data almost always guides us in making important 
decisions. When working with large amounts of data, we need to know how to store it, so it's 
organized and quick to access and process. The solution to this is through databases, and that's 
what we're exploring in this video! 

To start us off, we can define a database as an organized collection of information or data. 
Databases are often compared to spreadsheets. Some of you may have used Google Sheets or 
another common spreadsheet program in the past. While these programs are convenient ways to 
store data, spreadsheets are often designed for a single user or a small team to store less data. In 
contrast, databases can be accessed by multiple people simultaneously and can store massive 
amounts of data. Databases can also perform complex tasks while accessing data. As a security 
analyst, you'll often need to access databases containing useful information. For example, these 
could be databases containing information on login attempts, software and updates, or machines 


and their owners. 


Now that we know how important databases are for us, let's talk about how they're organized and 
how we can interact with them. Using databases allow us to store large amounts of data while 
keeping it quick and easy to access. There are lots of different ways we can structure a database, 
but in this course, we'll be working with relational databases. A relational database is a structured 
database containing tables that are related to each other. 

Let's learn more about what makes a relational database. We'll start by examining an individual table 
in a larger database of organizational information. Each table contains fields of information. For 
example, in this table on employees, these would include fields like employee_id, device_id, and 
username. 

These are the columns of the tables. In addition, tables contain rows also called records. Rows are 
filled with specific data related to the columns in the table. For example, our first row is a record for 
an employee whose id is 1,000 and who works in the marketing department. 

Relational databases often have multiple tables. Consider an example where we have two tables 
from a larger database, one with employees of the company and another with machines given to 
those employees. We can connect two tables if they share a common column. In this example, we 
establish a relationship between them with a common employee_id column. The columns that relate 
two tables to each other are called keys. There are two types of keys. The first is called a primary 
key. The primary key refers to a column where every row has a unique entry. The primary key must 
not have any duplicate values, or any null or empty values. The primary key allows us to uniquely 
identify every row in our table. For the table of employees, employee_id is a primary key. Every 
employee_id is unique and there are no employee _ids that are duplicate or empty. 

The second type of key is a foreign key. The foreign key is a column in a table that is a primary key 
in another table. Foreign keys, unlike primary keys, can have empty values and duplicates. The 
foreign key allows us to connect two tables together. In our example, we can look at the 
employee_id column in the machines table. We previously identified this as a primary key in the 
employees table, so we can use this to connect every machine to their corresponding employee. 


It's also important to know that a table can only have one primary key, but multiple foreign keys. 


With this information, we're ready to move on to the basics of SQL, the language that lets us work 
with databases. Throughout this section, we'll gain hands-on experience working with the concepts 


we just covered! 


Query databases with SQL 


As a security analyst, you'll need to be familiar both with databases and the tools used to access 
them. Now that we know the basics of databases, let's focus on an important tool used to work with 
them, SQL, and learn more about how analysts like yourself might utilize it. SQL, or as it's also 
pronounced, S-Q-L, stands for Structured Query Language. SQL is a programming language used 
to create, interact with, and request information from a database. 

Before learning more about SQL, we need to define what query means. A query is a request for data 
from a database table or a combination of tables. Nearly all relational databases rely on some 
version of SQL to query data. The different versions of SQL only have slight differences in their 
structure, like where to place quotation marks. Whatever variety of SQL you use, you'll find it to be a 
very important tool in your work as a security analyst. 

First, let's discuss how SQL can help you retrieve logs. A log is a record of events that occur within 
an organization's systems. As a security analyst, you might be tasked with reviewing logs for various 
reasons. For example, some logs might contain details on machines used in a company, and as an 
analyst, 

you would need to find those machines that weren't configured properly. Other logs might describe 
the visitors to your website or web app and the tasks they perform. In that case, 

you might be looking for unusual patterns that may point to malicious activity. Security logs are often 
very large and hard to process. There are millions of data points, and it's very time consuming to find 
what you need. But this is where SQL comes in! It can search through millions of data points to 
extract relevant rows of data using one query that takes seconds to run. That's pretty useful, right? 
SQL is also a very common language used for basic data analytics, another set of skills that will set 
you apart as a security analyst. As a security analyst, you can use SQL's filtering to find data to 
support security-related decisions and analyze when things may go wrong. For instance, you can 


identify what machines haven't received the latest patch. This is important because patches are 


updates that help secure against attacks. As another example, you can use SQL to determine the 
best time to update a machine based on when it's least used. 
Now that we know why SQL is important to us, we're going to start making basic queries to a sample 


database! This is definitely exciting, and I'll meet you in the next video. 


SQL filtering versus Linux filtering 


Previously, you explored the Linux commands that allow you to filter for specific information 
contained within files or directories. And, more recently, you examined how SQL helps you efficiently 
filter for the information you need. In this reading, you'll explore differences between the two tools as 
they relate to filtering. You'll also learn that one way to access SQL is through the Linux command 


line. 


Accessing SQL 


There are many interfaces for accessing SQL and many different versions of SQL. One way to 
access SQL is through the Linux command line. 

To access SQL from Linux, you need to type in a command for the version of SQL that you want to 
use. For example, if you want to access SQLite, you can enter the command sqlite3 in the 
command line. 

After this, any commands typed in the command line will be directed to SQL instead of Linux 


commands. 


Differences between Linux and SQL filtering 


Although both Linux and SQL allow you to filter through data, there are some differences that affect 


which one you should choose. 


Purpose 


Linux filters data in the context of files and directories on a computer system. It’s used for tasks like 


searching for specific files, manipulating file permissions, or managing processes. 


SQL is used to filter data within a database management system. It’s used for querying and 


manipulating data stored in tables and retrieving specific information based on defined criteria. 


Syntax 


Linux uses various commands and command-line options specific to each filtering tool. Syntax 
varies depending on the tool and purpose. Some examples of Linux commands are find, sed, cut, e 
grep 

SQL uses the Structured Query Language (SQL), a standardized language with specific keywords 
and clauses for filtering data across different SQL databases. Some examples of SQL keywords and 


clauses are WHERE, SELECT, JOIN 


Structure 


SQL offers a lot more structure than Linux, which is more free-form and not as tidy. 

For example, if you wanted to access a log of employee log-in attempts, SQL would have each 
record separated into columns. Linux would print the data as a line of text without this organization. 
As a result, selecting a specific column to analyze would be easier and more efficient in SQL. 

In terms of structure, SQL provides results that are more easily readable and that can be adjusted 


more quickly than when using Linux. 


Joining tables 


Some security-related decisions require information from different tables. SQL allows the analyst to 
join multiple tables together when returning data. Linux doesn’t have that same functionality; it 
doesn’t allow data to be connected to other information on your computer. This is more restrictive for 


an analyst going through security logs. 


Best uses 


As a security analyst, it’s important to understand when you can use which tool. Although SQL has a 
more organized structure and allows you to join tables, this doesn’t mean that there aren’t situations 


that would require you to filter data in Linux. 


A lot of data used in cybersecurity will be stored in a database format that works with SQL. However, 
other logs might be in a format that is not compatible with SQL. For instance, if the data is stored in a 
text file, you cannot search through it with SQL. In those cases, it is useful to know how to filter in 


Linux. 


Key takeaways 


Linux filtering focuses on managing files and directories on a system, while SQL filtering focuses on 
structured data manipulation within databases. To work with SQL, you can access it from multiple 
different interfaces, such as the Linux command line. Both SQL and Linux allow you to filter for 
specific data, but SQL offers the advantages of structuring the data and allowing you to join data 


from multiple tables. 


Congratulations! You passed! 


Grade received 100% 


To pass 75% or higher 


Question 1 


Which statement accurately describes the organization of a relational database? 


1/1 point 


Relational databases contain tables that are related to each other through primary and foreign keys. 


Relational databases contain primary keys with at least two duplicate values. 


Relational databases consist of a single table containing related information. 


Relational databases consist of a single table with one primary key and one foreign key. 


Correct 


A relational database is a structured database containing tables that are related to each other through 


primary and foreign keys. 


Question 2 


What is SQL used for? Select two answers. 


1/1 point 


Securing an organization's systems and networks 


Finding data to support security-related decisions and analysis 


Correct 


SQL is a programming language used to create, interact with, and request information from a database. 


SQL's filtering can be used to find data to support security-related decisions. 


Creating, interacting with, and requesting information from a database 


Correct 


SQL is a programming language used to create, interact with, and request information from a database. 


SQL's filtering can be used to find data to support security-related decisions. 


Allowing users to access a specific machine 


Question 3 


A record of attempts to connect to an organization’s network is one example of a log. 


1/1 point 


True 


False 


Correct 


A record of attempts to connect to an organization’s network is one example of a log. Logs are records of 


events that occur within an organization's systems. 


Question 4 


Fill in the blank: A request for data from a database table or a combination of tables is called a 


1/1 point 


query 


log 
key 


row 


Correct 


A request for data from a database table or a combination of tables is called a query. 


Basic queries 


In this video, we're going to be running our very first SQL query! This query will be based on a 
common work task that you might encounter as a security analyst. We're going to determine which 
computer has been assigned to a certain employee. Let's say we have access to the employees 
table. The employees table has five columns. Two of them, employee_id and device_id, contain the 
information that we need. We'll write a query to this table that returns only those two columns from 
the table. 

The two SQL keywords we need for basic SQL queries are SELECT and FROM. SELECT indicates 
which columns to return. FROM indicates which table to query. The use of these keywords in SQL is 
very similar to how we would use these words in everyday language. For example, we can ask a 
friend to select apples and bananas from the big box when going out to buy fruit. This is already very 


similar to SQL. 


So let's go ahead and use SELECT and FROM in SQL to return the information we need on 
employees and the computers they use. We start off by typing in the SQL statement. After FROM, 
we've identified that the information will be pulled from the employees table. And after SELECT, 
employee_id and device_id indicate the two columns we want to return from this table. Notice how a 
comma separates the two columns that we want to return. 

It's also worth mentioning a couple of key aspects related to the syntax of SQL here. Syntax refers to 
the rules that determine what is correctly structured in a computing language. In SQL, keywords are 
not case-sensitive, so you could also write select and from in lowercase, but we're placing them in 
capital letters because it makes the query easier to understand. Another aspect of this syntax is that 
semicolons are placed at the end of the statement. 

And now, we'll run the query by pressing Enter. The output gives us the information we need to 
match employees to their computers. We just ran our very first SQL query! 

Suppose you wanted to know what department the employee using the computer is from, or their 
username, or the office they work in. To do that, we can use SQL to make another statement that 
prints out all of the columns from the table. We can do this by placing an asterisk after SELECT. This 
is commonly referred to as select all. Now, let's run this query to the employees table in SQL. And 
now we have the full table in the output. 

You just made it through a basic query in SQL, congratulations! In the next video, we'll learn how to 


add filters to our queries, so I'll meet you there! 


Query a database 


Previously, you explored how SQL is an important tool in the world of cybersecurity and is essential 
when querying databases. You examined a few basic SQL queries and keywords used to extract 
needed information from a database. In this reading, you'll review those basic SQL queries and learn 


a new keyword that will help you organize your output. You'll also learn about the Chinook 


database, which this course uses for queries in readings and quizzes. 


Basic SQL query 


There are two essential keywords in any SQL query: SELECT and FROM. You will use these keywords 
every time you want to query a SQL database. Using them together helps SQL identify what data 
you need from a database and the table you are returning it from. 

The video demonstrated this SQL query: 

SELECT employee id, device id 

FROM employees; 

In readings and quizzes, this course uses a sample database called the Chinook database to run 
queries. The Chinook database includes data that might be created at a digital media company. A 
security analyst employed by this company might need to query this data. For example, the 
database contains eleven tables, including an employees table, a customers table, and an 
invoices table. These tables include data such as names and addresses. 


As an example, you can run this query to return data from the customers table of the Chinook 


database: USE REPLIT.COM TO RUN THIS 


SELECT customerid, city, country 


FROM customers; 


Run 


Reset 


SELECT 


The SELECT keyword indicates which columns to return. For example, you can return the 


customerid column from the Chinook database with 


SELECT customerid 


You can also select multiple columns by separating them with a comma. For example, if you want to 
return both the customerid and city columns, you should write SELECT customerid, city. 

If you want to return all columns in a table, you can follow the SELECT keyword with an asterisk (*). 
The first line in the query will be SELECT *. 

Note: Although the tables you're querying in this course are relatively small, using SELECT * may 
not be advisable when working with large databases and tables; in those cases, the final output may 


be difficult to understand and might be slow to run. 


FROM 


The SELECT keyword always comes with the FROM keyword. FROM indicates which table to query. To 
use the FROM keyword, you should write it after the SELECT keyword, often on a new line, and follow 
it with the name of the table you’re querying. If you want to return all columns from the customers 
table, you can write: 

SELECT * 

FROM customers; 

When you want to end the query here, you put a semicolon (;) at the end to tell SQL that this is the 
entire query. 

Note: Line breaks are not necessary in SQL queries, but are often used to make the query easier to 
understand. If you prefer, you can also write the previous query on one line as 


SELECT * FROM customers; 


ORDER BY 


Database tables are often very complicated, and this is where other SQL keywords come in handy. 


ORDER By is an important keyword for organizing the data you extract from a table. 
ORDER BY sequences the records returned by a query based on a specified column or columns. This 


can be in either ascending or descending order. 


Sorting in ascending order 


To use the ORDER BY keyword, write it at the end of the query and specify a column to base the sort 
on. In this example, SQL will return the customerid, city, and country columns from the 
customers table, and the records will be sequenced by the city column: USE REPLIT.COM TO 


RUN THIS 


SELECT customerid, city, country 


FROM customers 


ORDER BY city; 


Run 
Reset 


The ORDER BY keyword sorts the records based on the column specified after this keyword. By 
default, as shown in this example, the sequence will be in ascending order. This means 
e if you choose a column containing numeric data, it sorts the output from the smallest to 
largest. For example, if sorting on customerid, the ID numbers are sorted from smallest to 
largest. 
e if the column contains alphabetic characters, such as in the example with the city column, it 


orders the records from the beginning of the alphabet to the end. 


Sorting in descending order 


You can also use the ORDER BY with the DESC keyword to sort in descending order. The DESC 


keyword is short for "descending" and tells SQL to sort numbers from largest to smallest, or 


alphabetically from Z to A. This can be done by following ORDER By with the DESC keyword. For 
example, you can run this query to examine how the results differ when DESC is applied: USE 


REPLIT.COM TO RUN THIS 


SELECT customerid, city, country 


FROM customers 


ORDER BY city DESC; 


Run 
Reset 


Now, cities at the end of the alphabet are listed first. 


Sorting based on multiple columns 


You can also choose multiple columns to order by. For example, you might first choose the country 
and then the city column. SQL then sorts the output by country, and for rows with the same 
country, it sorts them based on city. You can run this to explore how SQL displays this: USE 


REPLIT.COM TO RUN THIS 


SELECT customerid, city, country 


FROM customers 


ORDER BY country, city; 


Run 


Reset 


Key takeaways 


SELECT and FROM are important keywords in SQL queries. You use SELECT to indicate which 
columns to return and FROM to indicate which table to query. You can also include ORDER BY in your 
query to organize the output. These foundational SQL skills will support you as you move into more 


advanced queries. 


Basic filters on SQL queries 


One of the most powerful features of SQL is its ability to filter. In this video, we're going to learn how 
this helps us make better queries and select more specific pieces of data from a database. 

Filtering is selecting data that match a certain condition. Think of filtering as a way of only choosing 
the data we want. Let's say we wanted to select apples from a fruit cart. Filtering allows us to specify 
what kind of apples we want to choose. When we go buy apples, we might explicitly say, "Choose 
only apples that are fresh." This removes apples that aren't fresh from the selection. This is a filter! 
As a security analyst, you might filter a log-in attempts table to find all attempts from a specific 
country. This could be done by applying a filter on the country column. For example, you could filter 
to just return records containing Canada. 

Before we get started, we need to focus on an important part of the syntax of SQL. Let's learn about 
operators. An operator is a symbol or keyword that represents an operation. An example of an 
operator would be the equal to operator. For example, if we wanted to find all records that have USA 
in the country column, we use country = 'USA' To filter a query in SQL, we simply add an extra line to 


the SELECT and FROM statement we used before. This extra line will use a WHERE clause. In 


SQL, WHERE indicates the condition for a filter. After the keyword WHERE, the specific condition is 
listed using operators. So if we wanted to find all of the login attempts made in the United States, we 
would create this filter. In this particular condition, we're indicating to return all records that have a 
value in the country column that is equal to USA. 

Let's try putting it all together in SQL. We're going to start with selecting all the columns from the 
log_in_attempts table. And then add the WHERE filter. Don't forget the semicolon! This tells us we 
finished the SQL statement. Now, let's run this query! Because of our filter, only the rows where the 
country of the log-in attempt was USA are returned. 

In the previous example, the condition for our filter was based simply on returning records that are 
equal to a particular value. We can also make our conditions more complex by searching for a 
pattern instead of an exact word. For example, in the employees table, we have a column for office. 
We could search for records in this column that match a certain pattern. Perhaps we might want all 
offices in the East building. To search for a pattern, we used the percentage sign to act as a wildcard 
for unspecified characters. If we ran a filter for 'East%', this would return all records that start with 
East -- for example, the offices East-120, East-290, and East-435. 

When searching for patterns with the percentage sign, we cannot use the equals operator. Instead, 
we use another operator, LIKE. LIKE is an operator used with WHERE to search for a pattern in a 
column. 

Since LIKE is an operator, similar to the equal sign, we use it instead of the equal sign. So, when our 
goal is to return all values in the office column that start with the word East, LIKE would appear in a 
WHERE clause. 

Let's go back to the example in which we wanted to filter for log-in attempts made in the United 
States. Imagine that we realize that our database contains inconsistencies with how the United 
States is represented. Some entries use US while others use USA. Let's get into SQL and apply this 
new type of filter with LIKE. We're going to start with the same first two lines of code because we 
want to select all columns from the log-in attempts table. And we're going to add a filter with LIKE so 
that records will be returned if they contain a value in the country column beginning with the 


characters US. This includes both US and USA. Let's run this query to check if the output changes. 


This returns all the entries where the user location was in the United States. And now we can use 
the LIKE clause to filter columns based on a pattern! 
Wow, we've already learned how to get very precise with our database and get exactly the data we 


need with one single query. I'm excited for what's next! 


The WHERE clause and basic operators 


Previously, you focused on how to refine your SQL queries by using the WHERE clause to filter 
results. In this reading, you'll further explore how to use the WHERE clause, the LIKE operator and 
the percentage sign (%) wildcard. You'll also be introduced to the underscore (_), another wildcard 


that can help you filter queries. 


How filtering helps 


As a security analyst, you'll often be responsible for working with very large and complicated security 
logs. To find the information you need, you'll often need to use SQL to filter the logs. 

In a cybersecurity context, you might use filters to find the login attempts of a specific user or all 
login attempts made at the time of a security issue. As another example, you might filter to find the 


devices that are running a specific version of an application. 


WHERE 


To create a filter in SQL, you need to use the keyword WHERE. WHERE indicates the condition for a 
filter. 

If you needed to email employees with a title of IT Staff, you might use a query like the one in the 
following example. You can run this example to examine what it returns: USE REPLIT.COM TO RUN 
THIS 


SELECT firstname, lastname, title, email 


FROM employees 


WHERE title = 'IT Staff'; 


Run 


Reset 


Rather than returning all records in the employees table, this WHERE clause instructs SQL to return 
only those that contain 'IT Staff' in the title column. It uses the equals sign (=) operator to set 
this condition. 

Note: You should place the semicolon (;) where the query ends. When you add a filter to a basic 


query, the semicolon is after the filter. 


Filtering for patterns 


You can also filter based on a pattern. For example, you can identify entries that start or end with a 
certain character or characters. Filtering for a pattern requires incorporating two more elements into 
your WHERE clause: 

e awildcard 


e the LIKE operator 


Wildcards 


A wildcard is a special character that can be substituted with any other character. Two of the most 
useful wildcards are the percentage sign (%) and the underscore (_): 
e The percentage sign substitutes for any number of other characters. 


e The underscore symbol only substitutes for one other character. 


These wildcards can be placed after a string, before a string, or in both locations depending on the 
pattern you're filtering for. 
The following table includes these wildcards applied to the string 'a' and examples of what each 


pattern would return. 


Pattern Results that could be returned 


‘aS! apple123, art, a 


'a_' as, an, a7 
'a_' ant, add, alc 
'Sa' pizza, Z6ra, a 
'a' ma, la, Ha 
"Sas! Again, back, a 
'a' Car, ban, ea7 
LIKE 


To apply wildcards to the filter, you need to use the LIKE operator instead of an equals sign (=). 
LIKE is used with WHERE to search for a pattern in a column. 
For instance, if you want to email employees with a title of either 'IT Staff' or 'IT Manager', 


you can use LIKE operator combined with the % wildcard: USE REPLIT.COM TO RUN THIS 


SELECT lastname, firstname, title, email 


FROM employees 


WHERE title LIKE 'IT$%'; 


Run 
Reset 


This query returns all records with values in the title column that start with the pattern of 'IT'. 
This means both 'IT Staff£' and 'IT Manager' are returned. 

As another example, if you want to search through the invoices table to find all customers located in 
states with an abbreviation of 'NY', 'NV', 'NS' or 'NT', you can use the 'N_' pattern on the 


state column:USE REPLIT.COM TO RUN THIS 


SELECT firstname, lastname, state, country 


FROM customers 


WHERE state LIKE 'N_'; 


Run 
Reset 


This returns all the records with state abbreviations that follow this pattern. 


Key takeaways 


Filters are important when refining what your query returns. WHERE is an essential keyword for 
adding a filter to your query. You can also filter for patterns by combining the LIKE operator with the 


percentage sign (%) and the underscore (_) wildcards. 


Congratulations! You passed! 


Grade received 100% 


To pass 75% or higher 


Question 1 
What is filtering in SQL? 


1/1 point 


Changing a table to match a condition 


Removing unnecessary data from the database 


Removing invalid records 


Selecting data that match a certain condition 


Correct 


Filtering in SQL is selecting data that match a certain condition. Analysts use filters in SQL to return the 


data they need. 


Question 2 


You are working with the Chinook database and want to return the firstname, lastname, and phone of 
all employees. Replace --??? with the missing information to complete the query. (If you want to undo 


your changes to the query, you can click the Reset button.) USE REPLIT.COM TO RUN THIS 


SELECT firstname, lastname, phone number 


FROM employees; 


Run 


Reset 


What is Andrew Adams' phone number? 


1/1 point 


+1 (403) 467-3351 


+1 (780) 836-9987 


+1 (780) 428-9482 


+1 (403) 262-3443 


Correct 


Andrew Adams' phone number is +1 (780) 428-9482. By replacing --??? with SELECT firstname, 


lastname, phone, you can complete the query and return this result. 


Question 3 


A security analyst wants to filter the log_in_attempts table for records where the value in the country 


column is 'Canada'. What is a valid query for this? 


1/1 point 


SELECT * 


FROM log_in_ attempts 


WHERE country = Canada; 


WHERE country = 'Canada' 


SELECT * 


FROM log_in_ attempts; 


SELECT WHERE country = 'Canada' 


FROM log_in_ attempts; 


SELECT * 


FROM log_in_ attempts 


WHERE country = 'Canada'; 


Correct 


The security analyst can use the following query to filter the log_in_ attempts table for records where 


the value in the country column is 'Canada': 


SELECT * 


FROM log_in_attempts 


WHERE country = 'Canada'; 


Question 4 


Which pattern matches with any string that starts with the character 'A'? 


1/1 point 


"SAS ' 


"AS! 


"On! 


Correct 


The percentage sign (%) is a wildcard that substitutes for any number of other characters. The pattern 


'AS' matches with any string that starts with the character 'A'. 


Filter dates and numbers 


In this video, we're going to continue using SQL queries and filters, but now we're going to apply 
them to new data types. First, let's explore the three common data types that you will find in 
databases: string, numeric, and date and time. String data is data consisting of an ordered sequence 
of characters. These characters could be numbers, letters, or symbols. For example, you'll 
encounter string data in user names, such as a user name: analyst10. Numeric data is data 
consisting of numbers, such as a count of log-in attempts. Unlike strings, mathematical operations 
can be used on numeric data, like multiplication or addition. Date and time data refers to data 
representing a date and/or time. 

Previously, we applied filters using string data, but now let's work with numeric and date and time 
data. As a security analyst, you'll often need to query numbers and dates. For example, we could 
filter patch dates to find machines that need an update, or we could filter log-in attempts to return 
only those made in a certain period of time. We learned about operators in the last video, and we're 
going to use them again for numbers and dates. 

Common operators for working with numeric or date and time data types include: equals, greater 
than, less than, not equal to, greater than or equal to, and less than or equal to. Let's say you want 
to find the log-in attempts made after 6 pm. Because this is past normal business hours, you want to 
look for suspicious patterns. You can identify these attempts by using the greater than operator in 
your filter. We'll start writing our query in SQL. We begin by indicating that we want to select all 
columns FROM the log_in_attempts table. Then we'll add our filter with WHERE. 

Our condition indicates that the value in the time column must be greater than, or for dates and 
times, later than '18:00', which is how 6 pm is written in SQL. Let's run this and examine the output. 
Perfect! Now we have a list of log-in attempts made after 6 pm. 

We can also filter for numbers and dates by using the BETWEEN operator. BETWEEN is an 
operator that filters for numbers or dates within a range. An example of this would be when looking 
for all patches installed within a certain range. Let's do this! Let's find all the patches installed 
between March 1st, 2021 and September 1st, 2021. In our query, we start with selecting all records 


FROM the machines table. 


And we add the BETWEEN operator in the WHERE statement. 

Let's break down the statement. First, after WHERE, we indicate which column to filter, in our case, 
OS_patch_date. Next, comes our operator BETWEEN. We then add the beginning of our range, 
type AND, then finish by adding the end of our range and a semicolon. Now, let's run this and 
explore the output. And now we have a list of all machines patched between those two dates! 
Before we wrap up, an important thing to note is that when we filter for strings, dates, and times, we 
use quotation marks to specify what we're looking for. However, for numbers, we don't use quotation 
marks. With this new knowledge, you're now ready to work on all sorts of interesting filters for 
numbers and dates. In the next video, we'll be able to expand our filtering even further by using 


multiple conditions in one query. 


Operators for filtering dates and numbers 


Previously, you examined operators like less than (<) or greater than (>) and explored how they can 


be used in filtering numeric and date and time data types. This reading summarizes what you 


learned and provides new examples of using operators in filters. 


Numbers, dates, and times in cybersecurity 


Security analysts work with more than just string data, or data consisting of an ordered sequence of 
characters. 
They also frequently work with numeric data, or data consisting of numbers. A few examples of 
numeric data that you might encounter in your work as a security analyst include: 

e the number of login attempts 

e the count of a specific type of log entry 

e the volume of data being sent from a source 


e the volume of data being sent to a destination 


You'll also encounter date and time data, or data representing a date and/or time. As a first 


example, logs will generally timestamp every record. Other time and date data might include: 


e login dates 
e login times 
e dates for patches 


e the duration of a connection 


Comparison operators 


In SQL, filtering numeric and date and time data often involves operators. You can use the following 


operators in your filters to make sure you return only the rows you need: 


operator use 

< less than 

> greater than 

= equal to 

<= less than or equal to 
>= greater than or equal to 
<> not equal to 


Note: You can also use != as an alternative operator for not equal to. 


Incorporating operators into filters 


These comparison operators are used in the WHERE clause at the end of a query. The following 
query uses the > operator to filter the birthdate column. You can run this query to explore its 


output: USE REPLIT.COM TO RUN THIS 


SELECT firstname, lastname, birthdate 


FROM employees 


WHERE birthdate > '1970-01-01'; 


Run 
Reset 


This query returns the first and last names of employees born after, but not on, '1970-01-01' (or 
January 1, 1970). If you were to use the >= operator instead, the results would also include results 
on exactly '1970-01-01'. 

In other words, the > operator is exclusive and the >= operator is inclusive. An exclusive operator 
is an operator that does not include the value of comparison. An inclusive operator is an operator 


that includes the value of comparison. 


BETWEEN 


Another operator used for numeric data as well as date and time data is the BETWEEN operator. 
BETWEEN filters for numbers or dates within a range. For example, if you want to find the first and 


last names of all employees hired between January 1, 2002 and January 1, 2003, you can use the 
BETWEEN operator as follows: USE REPLIT.COM TO RUN THIS 


SELECT firstname, lastname, hiredate 


FROM employees 


WHERE hiredate BETWEEN '2002-01-01' AND '2003-01-01'; 


Run 
Reset 


Note: The BETWEEN operator is inclusive. This means records with a hiredate of January 1, 2002 


or January 1, 2003 are included in the results of the previous query. 


Key takeaways 


Operators are important when filtering numeric and date and time data. These include exclusive 


operators such as < and inclusive operators such as <=. The BETWEEN operator, another inclusive 


operator, helps you return the data you need within a range. 


Filters with AND, OR, and NOT 


In the previous lesson, we learned about even more ways to filter queries in SQL to work with some 
typical security analyst tasks. However, when working with real security questions, we often have to 
filter for multiple conditions. Vulnerabilities, for instance, might depend on more than one factor. For 
example, a security vulnerability might be related to machines using a specific email client on a 
specific operating system. So, to find the possible vulnerabilities, we need to find machines using 
both the email client and the operating system. 

To make a query with multiple conditions that must be met, we use the AND operator between two 
separate conditions. AND is an operator that specifies that both conditions must be met 
simultaneously. Bringing this back to our fruit and vegetable analogy, this is the same as asking 
someone to select apples from the big box where the apples are large and fresh. This means our 
results won't include any small apples even if they're fresh, or any rotten apples even if they're large. 
They'll only include large fresh apples. The apples must meet both conditions. 

Going back to our database, the machines table lists all operating systems and email clients. We 
want a list of machines running Operating System 1 and a list of machines using Email Client 1. 
We'll use the left and right circles in the Venn diagram to represent these groups. We need SQL to 
select the machines that have both OS 1 and Email Client 1. The filled-in area at the intersection of 
these circles represents this condition. Let's take this and implement it in SQL. 

First, we're going to start by building the first lines of the query, telling SQL to SELECT* all columns 
FROM the machines table. Then, we'll add the WHERE clause. 

Let's examine this more closely. First, we indicate the first condition that it must meet, that the 
operating system column has a value of '0S 1' 

Then, we use AND to join this to another condition. And finally, we enter the other condition, in this 
case that the email client column should have a value of ‘Email Client 1' 

And this is how you use the AND operator in SQL! Let's run this to get the query results. Perfect! All 


the results match both our conditions! 


Let's keep going and explore more ways to combine different conditions by working with the OR 
operator. The OR operator is an operator that specifies that either condition can be met. In a Venn 
diagram, let's say each circle represents a condition. When they are joined with OR, SQL would 
select all rows that satisfy one of the conditions. And it's also ok if it meets both conditions. 

Let's run another query and use the OR operator. Let's say that we wanted the filter to identify 
machines that have either OS 1 or OS 3 because both types need a patch. We'll type in these 
conditions. 

Let's examine this more closely. After WHERE, our first condition indicates we want to filter, so that 
the query selects machines with 'OS 1' We use the OR operator because we also want to find 
records that match another condition. This additional condition is placed after OR and indicates to 
also select machines running 'OS 3' Executing the query, our results now include records that have a 
value of either OS 1 or OS 3 in the operating system column. Good job, we're running some complex 
queries. 

The last operator we're going to go into is the NOT operator. NOT negates a condition. In a diagram, 
we can show this by selecting every entry that does not match our condition. The condition is 
represented by the circle. The filled-in portion outside the circle represents what gets returned. This 
is all data that does not match the condition. For example, when picking out fruit, you can be looking 
for any fruit that is not an apple. That is a lot more efficient than telling your friend you want a banana 
or an orange or a lime, and so on. 

Suppose you wanted to update all of the devices in your company except for the ones using OS 3. 
Bringing this into SQL, we can write this query. 

We place NOT after WHERE and before the condition of the filter. Executing these queries gives us 
the list of all the machines that aren't running OS 3, and now we know which machines to update. 
That was a lot of new content that we just looked into, but you're learning more and more SQL that 
you can use on your journey to become an analyst! In the next video, we'll be learning how to 


combine and join two tables together to expand the kinds of queries we can run. I'll meet you there! 


More on filters with AND, OR, and NOT 


Previously, you explored how to add filters containing the AND, OR, and NOT operators to your SQL 
queries. In this reading, you'll continue to explore how these operators can help you refine your 


queries. 


Logical operators 


AND, OR, and NOT allow you to filter your queries to return the specific information that will help you 


in your work as a security analyst. They are all considered logical operators. 


AND 


First, AND is used to filter on two conditions. AND specifies that both conditions must be met 
simultaneously. 

As an example, a cybersecurity concern might affect only those customer accounts that meet both 
the condition of being handled by a support representative with an ID of 5 and the condition of being 
located in the USA. To find the names and emails of those specific customers, you should place the 
two conditions on either side of the AND operator in the WHERE clause: USE REPLIT.COM TO RUN 


THIS 


SELECT firstname, lastname, email, country, supportrepid 


FROM customers 


WHERE supportrepid = 5 AND country = 'USA'; 
Run 
Reset 


Running this query returns four rows of information about the customers. You can use this 


information to contact them about the security concern. 


OR 


The OR operator also connects two conditions, but OR specifies that either condition can be met. It 


returns results where the first condition, the second condition, or both are met. 


For example, if you are responsible for finding all customers who are either in the USA or Canada so 
that you can communicate information about a security update, you can use an OR operator to find 
all the needed records. As the following query demonstrates, you should place the two conditions on 


either side of the OR operator in the WHERE clause: USE REPLIT.COM TO RUN THIS 


SELECT firstname, lastname, email, country 


FROM customers 


WHERE country = 'Canada' OR country = 'USA'; 


Run 
Reset 


The query returns all customers in either the US or Canada. 
Note: Even if both conditions are based on the same column, you need to write out both full 


conditions. For instance, the query in the previous example contains the filter WHERE country = 


"Canada' OR country = 'USA'. 


NOT 


Unlike the previous two operators, the NOT operator only works on a single condition, and not on 
multiple ones. The NOT operator negates a condition. This means that SQL returns all records that 
don’t match the condition specified in the query. 

For example, if a cybersecurity issue doesn't affect customers in the USA but might affect those in 
other countries, you can return all customers who are not in the USA. This would be more efficient 
than creating individual conditions for all of the other countries. To use the NOT operator for this task, 
write the following query and place NOT directly after WHERE: USE REPLIT.COM TO RUN THIS 


SELECT firstname, lastname, email, country 


FROM customers 


WHERE NOT country = 'USA'; 


Reset 


SQL returns every entry where the customers are not from the USA. 
Pro tip: Another way of finding values that are not equal to a certain value is by using the <> 
operator or the != operator. For example, WHERE country <> 'USA' and WHERE country != 


'USA' are the same filters as WHERE NOT country = 'USA'. 


Combining logical operators 


Logical operators can be combined in filters. For example, if you know that both the USA and 
Canada are not affected by a cybersecurity issue, you can combine operators to return customers in 
all countries besides these two. In the following query, NOT is placed before the first condition, it's 
joined to a second condition with AND, and then NOT is also placed before that second condition. You 


can run it to explore what it returns: USE REPLIT.COM TO RUN THIS 


SELECT firstname, lastname, email, country 


FROM customers 


WHERE NOT country = 'Canada' AND NOT country = 'USA'; 
Run 


Reset 


Key takeaways 


Logical operators allow you to create more specific filters that target the security-related information 


you need. The AND operator requires two conditions to be true simultaneously, the OR operator 
requires either one or both conditions to be true, and the NOT operator negates a condition. Logical 


operators can be combined together to create even more specific queries. 


Congratulations! You passed! 


Grade received 75% 


To pass 75% or higher 


Question 1 


Which filter outputs all records with values in the date column between '01-01-2015' (January 1, 2015) 


and '01-04-2015' (April 1, 2015)? 


1/1 point 


WHERE date < '01-04-2015'; 


WHERE date BETWEEN '01-01-2015' AND '01-04-2015'; 


WHERE date BETWEEN '01-01-2015', '01-04-2015'; 


WHERE date > '01-01-2015'; 


Correct 


The filter WHERE date BETWEEN '01-01-2015' AND '01-04-2015'; outputs all records with values 


in the date column between '01-01-2015' and '01-04-2015'. 


Question 2 


Which operator is most efficient at returning all records with a status other than 'successful'? 


0/1 point 


BETWEEN 


NOT 


OR 


correct 


NOT is most efficient at returning all records with a status other than 'successful'. The NOT operator 


negates a condition. In this case, it can be used in a filter of WHERE NOT status = 'successful';. 


Question 3 


You are working with the Chinook database. You want to find the first and last names of customers who 
have a value in the country column of either 'Brazil' or 'Argentina'. Replace --??? with the 


missing information to complete the query. (If you want to undo your changes to the query, you can click 


the Reset button.) USE REPLIT.COM TO RUN THIS 


SELECT firstname, lastname, country 


FROM customers 


WHERE country = 'Brazil' OR country = ‘'Argentina' 


Run 


Reset 


How many customers are from Brazil or Argentina? 


1/1 point 


Correct 


6 customers are from Brazil or Argentina. By replacing --??? with WHERE country = 'Brazil' OR 


country = 'Argentina';, you can complete the query and return this result. 


Question 4 


While working as an analyst, you encounter a query that includes the following filter: 


SELECT * 


FROM customers 


WHERE country = 'USA' AND state = 'NV'; 


What will this query return? 


1/1 point 


Information about customers who do not have a value of 'USA' in the country column or do not have a 
value of 'Nv' in the state column. 


Information about customers who have a value of 'USA' in the country column and a value of 'NV' in 
the state column. 


Information about customers who do not have a value of 'USA' in the country column but do have a 
value of 'Nv' in the state column. 


Information about customers who have a value of 'USA' in the country column ora value of 'Nv' in the 
state column. 


Correct 


The query returns information about customers who have a value of 'USA' in the country column and a 
value of 'Nv' in the state column. The AND operator specifies that both conditions must be met 


simultaneously. 


Join tables in SQL 


You've already learned a lot about SQL queries and filters. Nice work! The last concept we're 
introducing in this section is joining tables when querying a database. This is helpful when you need 
information from two different tables in a database. Let's say we have two tables: one that tells us 
about security vulnerabilities of different operating systems, and one about different machines in our 
company, including their operating systems. Having the ability to combine them gives us a list of 
vulnerable machines. That's pretty cool, right? 

First, let's start talking about the syntax of joins. Since we're working with two tables now, we need a 
way to tell SQL what table we're picking columns from. In our example database, we have an 
employee_id column in both the employees table and the machines table. In SQL statements that 
contain two columns, SQL needs to know which column we're referring to. The way to resolve this is 
by writing the name of the table first, then a period, and then the name of a column. So, we would 
have employees followed by a period, followed by the column name. This is the employee_id column 
for the employees table. Similarly, this is the employee_id column for the machines table. Now that 
we understand this syntax, let's apply it to a join! 

Imagine that we want to get a deeper understanding of the employees accessing the machines in 
our company. By joining the employees and the machines tables, we can do this! We first need to 
identify the shared column that we'll use to connect the two tables. In this case, we'll use a primary 
key and one table to connect to another table where it's a foreign key. The primary key of the 
employees table is employee_id, which is a foreign key in the machines table. employee_id is a 
primary key in the employees table because it has a unique value for every row in the employees 
table, and no empty values. We don't have a guarantee that the employee_id column in the 


machines table follows the same criteria since it's a foreign key and not a primary key. 


Next, we'll use a type of join called an INNER JOIN. An INNER JOIN returns rows matching on a 
specified column that exists in more than one table. Tables usually contain many more rows, but to 
further explain what we mean by INNER JOIN, let's focus on just four rows from the employees table 
and four rows from the machines table. We'll also look at just a few columns of each table for this 
example. Let's say we choose employee_id in both tables to perform an INNER JOIN. Let's look at 
the two rows where there is a match. Both tables have 1188 and 1189 in their respective 
employee_id columns, so they are considered a match. The results of the join is the two rows that 
have 1188 and 1189 and all columns from both tables. 

Before we move on to the queries, we have to talk about the NULL values in the tables. In SQL, 
NULL represents a missing value due to any reason. In this case, this might be machines that are 
not assigned to any employee. Now, let's bring this into SQL and do an INNER JOIN on the full 
tables. Let's imagine we want to join these tables in order to get a list of users and their office 
location that also shows what operating system they use on their machines. employee_id is a 
common column between these tables, and we can use this to join them. But we won't need to show 
this column in the results. First, let's start with a basic query that indicates we want to select the 
username, office, and operating _system columns. We want employees to be our first or left table, so 
we'll use that in our FROM statement. Now, we write the part of the query that tells SQL to join the 
machines table with the employees table. 

Let's break down this query. INNER JOIN tells SQL to perform the INNER JOIN. Then, we name the 
second table we want to combine with the first. This is called the right table. In this case, we want to 
join machines with the employees table that was already identified after FROM. Lastly, we tell SQL 
what column to base the join on. In our case, we're using the employee_id column. Since we're 
using two tables, we have to identify the table and follow that with the column name. So, we have 
employees.employee_id. And machines.employee_id. 

Let's review the output. Perfect! We have now joined two tables. The results of our query displays 
the records that match on the employee_id column. Notice that these records contain columns from 
both tables, but only the ones we've indicated through our SELECT statement. There are other types 
of joins that don't require a match to join two tables, and we're going to discuss those in the next 


video. I'll meet you there! 


Types of joins 


Welcome back. | hope you enjoyed working on inner joins. In the previous video and exercises, we 
saw how inner joins can be useful by only returning records that share a value in specify columns. 
However, in some situations, we might need all of the entries from one or both of our tables. This is 
where we need to use outer joins. 

There are three types of outer joins: LEFT JOIN, RIGHT JOIN, and FULL OUTER JOIN. Similar to 
inner joins, outer joins combine two tables together; however, they don't necessarily need a match 
between columns to return a row. Which rows are returned depends on the type of join. 

LEFT JOIN returns all of the records of the first table, but only returns rows of the second table that 
match on a specified column. Like we did in the previous video, let's examine this type of join by 
looking at just four rows of two tables with a small number of columns. Employees is the left table, or 
the first table, and machines is the right table, or the second table. Let's join on employee_id. 
There's a matching value in this column for two of the four records. When we execute the join, SQL 
returns these rows with the matching value, all other rows from the left table, and all columns from 
both tables. Records from the employees table that didn't match but were returned through the LEFT 
JOIN contain NULL values in columns that came from the machines table. Next, let's talk about right 
joins. 

RIGHT JOIN returns all of the records of the second table but only returns rows from the first table 
that match on a specified column. With a RIGHT JOIN on the previous example, the full result 
returns matching rows from both, all the rows from the second table, and all the columns in both 
tables. For the values that don't exist in either table, we are left with a NULL value. Last, we'll 
discuss full outer joins. 

FULL OUTER JOIN returns all records from both tables. Using our same example, a FULL OUTER 
JOIN returns all columns from all tables. If a row doesn't have a value for a particular column, it 
returns NULL. For example, the machines table do not have any rows with employee_id 1190, so the 
values for that row and the columns that came from the machines table is NULL. To implement left 
joins, right joins, and full outer joins in SQL, you use the same syntax structure as the INNER JOIN 


but use these keywords: LEFT JOIN, RIGHT JOIN, and FULL OUTER JOIN. 


As a security analyst, you're not required to know all of these from memory. Once you understand 
the type of join you need, you can quickly search and find all the information you need to execute 
these queries. With this information on joins, we've now covered some very important information 


you'll need as a security analyst using SQL. Thank you for joining me in this video. 


Compare types of joins 


Previously, you explored SQL joins and how to use them to join data from multiple tables when these 
tables share a common column. You also examined how there are different types of joins, and each 
of them returns different rows from the tables being joined. In this reading, you'll review these 


concepts and more closely analyze the syntax needed for each type of join. 


Inner joins 


The first type of join that you might perform is an inner join. INNER JOIN returns rows matching on 


a specified column that exists in more than one table. 


It only returns the rows where there is a match, but like other types of joins, it returns all specified 
columns from all joined tables. For example, if the query joins two tables with SELECT *, all 
columns in both of the tables are returned. 


Note: If a column exists in both of the tables, it is returned twice when SELECT * is used. 


The syntax of an inner join 


To write a query using INNER JOIN, you can use the following syntax: 

SELECT * 

FROM employees 

INNER JOIN machines ON employees.device id = machines.device id; 

You must specify the two tables to join by including the first or left table after FROM and the second or 
right table after INNER JOIN. 

After the name of the right table, use the ON keyword and the = operator to indicate the column you 
are joining the tables on. It's important that you specify both the table and column names in this 
portion of the join by placing a period (. ) between the table and the column. 

In addition to selecting all columns, you can select only certain columns. For example, if you only 
want the join to return the username, operating system and device_id columns, you can 
write this query: 

SELECT username, operating system, employees.device id 

FROM employees 

INNER JOIN machines ON employees.device id = machines.device id; 

Note: In the example query, username and operating_system only appear in one of the two 
tables, so they are written with just the column name. On the other hand, because device_id 
appears in both tables, it's necessary to indicate which one to return by specifying both the table and 


column name (employees .device_id). 


Outer joins 


Outer joins expand what is returned from a join. Each type of outer join returns all rows from either 
one table or both tables. 
Left joins 


When joining two tables, LEFT JOIN returns all the records of the first table, but only returns rows of 


the second table that match on a specified column. 


The syntax for using LEFT JOIN is demonstrated in the following query: 

SELECT * 

FROM employees 

LEFT JOIN machines ON employees.device_id = machines.device_ id; 

As with all joins, you should specify the first or left table as the table that comes after FROM and the 
second or right table as the table that comes after LEFT JOIN. In the example query, because 
employees is the left table, all of its records are returned. Only records that match on the 


device_idcolumn are returned from the right table, machines. 


Right joins 
When joining two tables, RIGHT JOIN returns all of the records of the second table, but only returns 


rows from the first table that match on a specified column. 


The following query demonstrates the syntax for RIGHT JOIN: 

SELECT * 

FROM employees 

RIGHT JOIN machines ON employees.device id = machines.device id; 

RIGHT JOIN has the same syntax as LEFT JOIN, with the only difference being the keyword 
RIGHT JOIN instructs SQL to produce different output. The query returns all records from 
machines, which is the second or right table. Only matching records are returned from employees, 


which is the first or left table. 


Note: You can use LEFT JOIN and RIGHT JOIN and return the exact same results if you use the 
tables in reverse order. The following RIGHT JOIN query returns the exact same result as the LEFT 
JOIN query demonstrated in the previous section: 

SELECT * 

FROM machines 

RIGHT JOIN employees ON employees.device id = machines.device id; 

All that you have to do is switch the order of the tables that appear before and after the keyword 


used for the join, and you will have swapped the left and right tables. 


Full outer joins 


FULL OUTER JOIN returns all records from both tables. You can think of it as a way of completely 


merging two tables. 


You can review the syntax for using FULL OUTER JOIN in the following query: 


SELECT * 


FROM employees 
FULL OUTER JOIN machines ON employees.device_id = machines.device id; 
The results of a FULL OUTER JOIN query include all records from both tables. Similar to INNER 


JOIN, the order of tables does not change the results of the query. 


Key takeaways 


When working in SQL, there are multiple ways to join tables. All joins return the records that match 


on a specified column. INNER JOIN will return only these records. Outer joins also return all other 
records from one or both of the tables. LEFT JOIN returns all records from the first or left table, 
RIGHT JOIN returns all records from the second or right table, and FULL OUTER JOIN returns all 


records from both tables. 
Congratulations! You passed! 


Grade received 93.75% 


To pass 75% or higher 


Question 1 
Which join types return all rows from only one of the tables being joined? Select all that apply. 


0.75 / 1 point 


LEFT JOIN 


Correct 


LEFT JOIN and RIGHT JOIN return all rows from only one of the tables being joined. LEFT JOIN returns 
all the records of the first table, but only returns rows of the second table that match on a specified 


column. RIGHT JOIN returns all of the records of the second table, but only returns rows from the first 


table that match on a specified column. 


FULL OUTER JOIN 


RIGHT JOIN 


Correct 


LEFT JOIN and RIGHT JOIN return all rows from only one of the tables being joined. LEFT JOIN returns 
all the records of the first table, but only returns rows of the second table that match on a specified 
column. RIGHT JOIN returns all of the records of the second table, but only returns rows from the first 


table that match on a specified column. 


INNER JOIN 


This should not be selected 


LEFT JOIN and RIGHT JOIN return all rows from only one of the tables being joined. LEFT JOIN returns 


all the records of the first table, but only returns rows of the second table that match on a specified 


column. RIGHT JOIN returns all of the records of the second table, but only returns rows from the first 


table that match on a specified column. INNER JOIN only returns rows where there is a match on a 


specified column. 


Question 2 


You are performing an INNER JOIN on two tables on the employee_id column. The left table is 
employees, and the right table is machines. Which of the following queries has the correct INNER JOIN 


syntax? 


1/1 point 


SELECT * 


FROM employees 


INNER JOIN machines ON employees.employee id = machines.employee id; 


SELECT * 


FROM employees 


INNER JOIN machines WHERE employees.employee id = machines.employee id; 


INNER JOIN machines ON employees.employee id = machines.employee id 


SELECT * 


FROM employees; 


SELECT * 


FROM employees 


INNER JOIN ON employees.employee id = machines.employee id; 


Correct 


The following query has the correct syntax for the INNER JOIN: 


SELECT * 


FROM employees 


INNER JOIN machines ON employees.employee id = machines.employee id; 


It specifies the left table after FROM, then specifies the right table after INNER JOIN, and then uses the 


correct syntax after ON when indicating the column to join on. 


Question 3 


In the following query, which join returns all records from the employees table, but only records that 


match on employee_id from the machines table? 


SELECT * 


FROM employees 


machines ON employees.employee id = machines.employee id; 


1/1 point 


RIGHT JOIN 


LEFT JOIN 


FULL OUTER JOIN 


INNER JOIN 


Correct 


LEFT JOIN returns all records from the employees table, but only records that match on employee_id 


from the machines table. Because it is located after FROM, the employees table is the left table. 


Question 4 


As a security analyst, you are responsible for performing an INNER JOIN on the invoices and 
invoice _items tables of the Chinook database. These tables can be connected through the 
invoiceid column. Replace --??? with the missing information to complete the query. (If you want to 


undo your changes to the query, you can click the Reset button.) USE REPLIT.COM TO RUN THIS 


E4 


SELECT customerid, trackid 


FROM invoices 


INNER JOIN invoice_items ON invoices.invoiceid = invoice_items.invoiceid; 


Run 


Reset 


What is the value in the trackid column of the first row that is returned from this query? 


1/1 point 


449 


Correct 


2 is the value in the trackid column of the first row returned from this query. By replacing --??? with 
INNER JOIN invoice items ON invoices.invoiceid = invoice _items.invoiceid;, you can 


complete the query and return this result. 


Continuous learning in SQL 


You've explored a lot about SQL, including applying filters to SQL queries and joining multiple tables 
together in a query. There's still more that you can do with SQL. This reading will explore an 
example of something new you can add to your SQL toolbox: aggregate functions. You'll then focus 


on how you can continue learning about this and other SQL topics on your own. 


Aggregate functions 


In SQL, aggregate functions are functions that perform a calculation over multiple data points and 
return the result of the calculation. The actual data is not returned. 
There are various aggregate functions that perform different calculations: 
e COUNT returns a single number that represents the number of rows returned from your query. 
e AVG returns a single number that represents the average of the numerical data in a column. 


e suM returns a single number that represents the sum of the numerical data in a column. 


Aggregate function syntax 


To use an aggregate function, place the keyword for it after the SELECT keyword, and then in 
parentheses, indicate the column you want to perform the calculation on. 

For example, when working with the customers table, you can use aggregate functions to 
summarize important information about the table. If you want to find out how many customers there 


are in total, you can use the Count function on any column, and SQL will return the total number of 


records, excluding NULL values. You can run this query and explore its output: USE REPLIT.COM 


TO RUN THIS 


SELECT COUNT (firstname) 


FROM customers; 


Run 
Reset 


The result is a table with one column titled COUNT (firstname) and one row that indicates the 


count. 
If you want to find the number of customers from a specific country, you can add a filter to your 


query: USE REPLIT.COM TO RUN THIS 


SELECT COUNT (firstname) 


FROM customers 


WHERE country = 'USA'; 


Run 


Reset 


With this filter, the count is lower because it only includes the records where the country column 
contains a value of 'USA'. 
There are a lot of other aggregate functions in SQL. The syntax of placing them after SELECT is 


exactly the same as the COUNT function. 


Continuing to learn SQL 


SQL is a widely used querying language, with many more keywords and applications. You can 
continue to learn more about aggregate functions and other aspects of using SQL on your own. 
Most importantly, approach new tasks with curiosity and a willingness to find new ways to apply SQL 
to your work as a security analyst. Identify the data results that you need and try to use SQL to 
obtain these results. 

Fortunately, SQL is one of the most important tools for working with databases and analyzing data, 
so you'll find a lot of support in trying to learn SQL online. First, try searching for the concepts you've 
already learned and practiced to find resources that have accurate easy-to-follow explanations. 
When you identify these resources, you can use them to extend your knowledge. 

Continuing your practical experience with SQL is also important. You can also search for new 


databases that allow you to perform SQL queries using what you've learned. 


Key takeaways 


Aggregate functions like COUNT, SUM, and AVG allow you to work with SQL in new ways. There are 
many other additional aspects of SQL that could be useful to you as an analyst. By continuing to 


explore SQL on your own, you can expand the ways you can apply SQL in a cybersecurity context. 
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0:00 
Congratulations! We've made it together through the end of our focus on SQL. You've put in a lot of 
work and learned an important tool that will help you on your journey as a security analyst. Let's take 
a moment to go through all of the topics you learned in this section. 

Play video starting at ::17 and follow transcript 
0:17 
We started by learning about the structure of relational databases and how we can access them by 
using the query language SQL. We then got hands-on practice with writing our own SQL queries. 
We used SQL to bring up information you might need on the job when working as an analyst. We 
then focused on SQL filters. We started with simple conditions with strings, and by the end, we 
learned how to use multiple filters in one query. We concluded the unit with SQL joins and learned 
how to join multiple tables, giving us even more information at once. 

Play video starting at ::50 and follow transcript 
0:50 
By completing this course, you just took a very big step in your future career as a security analyst. 
You have been introduced to a powerful tool that can help you in your work. Whenever you need to, | 
encourage you to revisit the materials in this course. Learning a querying language like SQL takes 


time. Thank you again for joining me in this journey. | hope you'll enjoy using SQL as much as | do. 


Reference guide: SQL 


The SQL reference guide contains keywords for SQL queries. Security analysts can use these 
keywords to query databases and find data to support security-related decisions. The reference 
guide is divided into four different categories of SQL keywords for security-related tasks: 

e Query a database 

e Apply filters to SQL queries 

e Join tables 


e Perform calculations 


Within each category, commands are organized alphabetically. 


Access and save the guide 


You can save a copy of this guide for future reference. You can use it as a resource for additional 
practice or in your future professional projects. 

To access a downloadable version of this course item, click the following link and select Use 
Template. 

Reference guide: SQL 

OR 

If you don’t have a Google account, you can download the item directly from the following 
attachment. 


Reference Guide SQL.pdf 
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Glossary terms from module 4 


Terms and definitions from Course 4, Module 4 


Database: An organized collection of information or data 
Date and time data: Data representing a date and/or time 
Exclusive operator: An operator that does not include the value of comparison 


Filtering: Selecting data that match a certain condition 


Foreign key: A column in a table that is a primary key in another table 

Inclusive operator: An operator that includes the value of comparison 

Log: A record of events that occur within an organization's systems 

Numeric data: Data consisting of numbers 

Operator: A symbol or keyword that represents an operation 

Primary key: A column where every row has a unique entry 

Query: A request for data from a database table or a combination of tables 

Relational database: A structured database containing tables that are related to each other 
String data: Data consisting of an ordered sequence of characters 

SQL (Structured Query Language): A programming language used to create, interact with, and 
request information from a database 

Syntax: The rules that determine what is correctly structured in a computing language 


Wildcard: A special character that can be substituted with any other character 
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You made it to the end of this course! Congratulations—you did it! | hope you are proud of all you 
learned. The focus of this course was computing basics. Understanding the basics of computing is a 


valuable skill as you transition into your career as a security analyst. 


Play video starting at ::18 and follow transcript 
0:18 
Let's recap what you learned in this course. We first focused on operating systems and how they 
relate to applications and hardware. Understanding how the system you're protecting works is 
essential for doing your job effectively. That brings us to the Linux operating system. When working 
in the security profession, familiarity with Linux is important. We first discussed this architecture and 
various distributions. Then, we used a Linux command line to carry out tasks you might encounter as 
a security analyst. Finally, we looked at another useful tool and used SQL to query databases. 

Play video starting at ::56 and follow transcript 
0:56 
After this course, | hope you have a better understanding of how these foundations of computing 
support a security analyst in their daily work. | also hope you continue your path with this program. 
There are a lot of other useful and exciting topics ahead. Once again, congratulations. You've 
finished another course. Building skills is something you should be proud of. Keep it up as you 


progress through this program. 


Course 4 glossary 


We've covered a lot of terms—some of which you may have already known, and some of which are 
new. To make it easy to remember what a word means, we created this glossary of terms and 
definitions. 
° + e ° + 
To use the glossary for this course item, click the link below and select “Use Template.” 
Link to glossary: Course 4 Glossary 
OR 
If you don’t have a Google account, you can download the glossary directly from the attachment 
below 
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